PKI services in the Public Sector of the EU Member States

Download Report

Transcript PKI services in the Public Sector of the EU Member States

PKI Services for the Public Sector of the EU Member States

Dr. Dimitrios Lekkas Dept. of Products & Systems Design Engineering University of the Aegean

[email protected]

Rhodes, 9/6/2003

University of the Aegean

Objectives of the study

 To review the use of electronic signatures for e government services.

 To identify the technologies exploitation of e-signatures.

employed for the  To discuss legal issues signatures.

referring to the use of e  To discuss digital certificates management public sector.

in the  To provide a set of good-practices e-signatures in the public sector.

on the use of 2

eEurope-2005

University of the Aegean

The underlying strategic framework

Based on two groups of actions:  Services - Applications - Content  Broadband Infrastructure Security Action Plan around inter-linked lines:  Policy Measures  Good Practices  Benchmarking  Policies Coordination 3

e

Government Services

General key actions:  Broadband Connection  Interoperability  Interactive Public Services   Public Procurement Public Internet Access Points  Culture and Tourism Key actions for security:   Cyber Security Task Force Security Culture  Secure Communication between Public Services University of the Aegean 4

University of the Aegean

Our methodology at a glance

1. State-of-practice Review of state-of-practice on e-signatures use.

2. Legal issues Review of legal and regulatory issues on e-signatures use.

3. Standards Review the standardization work on e-signatures.

4. Case studies Study lessons learnt from relevant situations.

5. Survey Identify and review relevant experiences from EU …towards

Good Practices

5

1. State-of-practice on Certification Services

University of the Aegean

Topics:

Qualified Certificates (QC)

Requirements for issuing QC

Additional requirements for Public Sector

6

University of the Aegean

Qualified Certificates

 Unique identification of CSP  Unique identification of the physical entity  Intended purpose  Signature verification data corresponding to subject  Period of validity  Identity code of the certificate  Electronic signature of the CSP  Usage limitations  Case-relevant extensions 7

University of the Aegean

Requirements for issuing QS

          Demonstrate the appropriate reliability Ensure appropriate directory/revocation services Verify physical entity’s identity Employ properly qualified personnel Use trustworthy systems Protect signature creation data Keep records relevant to qualified certificates Publish policies, practices, terms, and conditions Maintain sufficient operation financial resources Ensure physical security 8

Additional requirements for the Public Sector

University of the Aegean  Risk Analysis/Assessment  ISO 9000 certification  Personal data protection  Insurance  Repositories for storing signature verification data for long time 9

University of the Aegean

3. Standardization work

 European initiatives and bodies: –

ETSI

: Europe's contribution to world-wide standardization – –

CEN/ISSS

: Information Society Standardization System

ICTB/EESSI

: European Electronic Signature Standardisation Initiative  International initiatives and bodies: – – –

ISO & ITU

: World-wide de jure standards

IETF

: Widely accepted de facto Internet standards

W3C

: Recommendations for structuring web documents – –

PKCS

: Public Key Cryptography Standards

ANSI

: The American perspective 10

University of the Aegean

Existing and emerging standards

  Secure Hardware Smart cards, Tokens, Secure devices  Cryptography Cryptographic algorithms, Hash functions, Random number generators Digital Certificates Formats, Distribution, Certificate Status Information (CSI)  Certification Services Digital signatures, Key management, Authorization, Time-stamping, Notary  General support ICT Security, Directory access, Database management, Repositories, Interoperability  Management IS management, Quality, Policy composition, Audit 11

University of the Aegean

4. PKI in third countries

 Canada – – A ‘Policy Management Authority’ exists ‘External subscribers’ are allowed – Key management resembles with the EU Directive  USA – Federal PKI is fully functional – – Federal Bridge CA assures interoperability Various ‘assurance levels’ for certificates  Australia – – ‘Government Public Key Authority’ exists as accreditation body Various levels of certificates for individuals and non-individuals 12

University of the Aegean

5. Survey

Means: Questionnaire on: (a) Existing e-services (b) Legal status of certificates (c) Use of certificates in the public sector (d) Requirements from CSP (e) Use of certificates for G2G and G2C transactions

-

Sent to the 15 Member States via CIRCA - All recipients responded - Results taken into account and refer to in the deliverable 13

University of the Aegean

Survey findings

 All Member States have adopted Directive 1999/93/EC.

 In 14 Member States there is at least 1 CSP offering qualified certificates (except Ireland).

 In 13 Member States there is one authority responsible for the accreditation of CSP (except France and Ireland).

 In 13 Member States there is one authority responsible for regulating, monitoring and auditing the operation of CSP (except Ireland and UK).

 In 9 Member States the two aforementioned procedures are performed by the same entity/authority.  In 5 Member States certificates of types other rather than qualified/unqualified are used.

14

University of the Aegean

…survey findings

 In 11 Member States CSP accreditation is voluntary for qualified certificates.

 In 7 Member States certificates have been employed in G2G transactions (3 have plans for 2003 and 3 after 2003).

 In all Member States the Public Sector obtains services from multiple CSP.

 In 14 Member States there is no nation-wide RA, which registers civil servants (except of Belgium).

 In 11 Member States each governmental organization may have or operate its own RA.

 In 2 Member States (Finland and France) each sector or administration level has its own RA.

15

University of the Aegean

…survey findings

 8 Member States have in place specific provisions, in case a CSP ceases operation.

 11 Member States have in place specific provisions, in case a CSP uses its key in a way incompatible with the existing legislation Special requirements a CSP should fulfill Risk Analysis/Assessment Security of CSP premises Security of CSP equipment used for key generation ISO 9000 certification Compliance with personal data regulations Appropriate skills of CSP staff Member States 10 11 10 4 11 10 16

University of the Aegean

…survey findings

Interoperability requirements when more than one CSP is involved Interoperability of technology Compatibility of the CPS All CSP should first apply for voluntary accreditation Member States 4 5 6 Value Added Services the Public Sector receives from CSP Timestamping Notary Non-repudiation of receipt Member States 8 4 4 17

University of the Aegean

…survey findings

 In 6 Member States there exists (or is planned) a central repository, which provides each and every civil servant with a certificate.

 In 5 Member States the role of the civil servant is associated with the certificate issuance.

 In 4 of the above 5, when a civil servant is transferred to another post, its certificate is revoked or renewed.

 In 10 Member States smart cards are used to keep signature-creation data (e.g. a private key).

 In 10 Member States audit records (logs) are kept.  In 9 of the above 10 CSP are responsible for keeping the audit logs.

18

University of the Aegean

Good-practices

Working assumptions: – G2G and G2C transactions are included.

– – C2G transactions are not included.

Subject to additional sector-related requirements – Focus on authentication, non-repudiation, and integrity.

– Compliance with EU Directive 99/93.

19

EU Directive 99/93: Article 3

Outline: – – – – – – – – – CSP operation Accreditation and supervision Certificate characteristics Signature Creation Devices Architectural issues Information dissemination Value-added Certification Services Certification Practice Statement (CPS) CSP cease of operation University of the Aegean 20

University of the Aegean

CSP Operation

  CSP operator – The government is generally considered as the owner of its Public Key Infrastructure.

– The operator may be a governmental authority, or the operation may be outsourced to the private sector.

CSP’s cease of operation – – Handling differs in Member States Subject to prior interoperability established, certificates will be managed by another CSP, or – – All issued certificates are revoked, or Purely governmental-operated CSP (they never cease...) 21

University of the Aegean

Accreditation and Supervision

 Voluntary Accreditation – Some Member States ask for compulsory accreditation – – Generally desired for qualified certificates issuance Accreditation is not a requirement for the issuance of unqualified certificates  Supervision – Establishment of national supervisory bodies in most Member States – Supervision, in most cases, is performed by Telecom Authorities – Diversification of supervision and accreditation roles is desired 22

University of the Aegean

Requirements for certificates

 Certificate characteristics – – Role-based certificates tend to have heavy administrative cost.

Both qualified and unqualified are needed, each for specific user domain.

– An identity certificate is needed for every civil servant. The certificates can be either identity-based, only, or role-based. – Average certificate lifecycle: 1-3 years.

 Public sector specific requirements – – – Signature lifetime is reported to be 30 years.

The signature lifetime should be (considerably) longer.

It is suggested that different keys are used for different functions (e.g. signature, authentication, encryption).

23

University of the Aegean

Signature creation issues

 Key management – Key generation should be performed under the full control of the end-user (for non-repudiation purposes) – No key-recovery must be possible  Signature Creation Devices – Common agreement on the adoption of secure hardware tokens (e.g. smart cards) – Conformance with international standards is recommended.

24

University of the Aegean

Architectural issues

 Number of Certification Authorities – – Support for multiple CA in each country should be ensured Web of trust scalability is recommended  Trust architectures – – Mixed schemes may exist Combination of per-sector local hierarchies, local RA, Bridge CA and Cross-certified CA should be ensured  Registration Authorities – Civil servants should be given a security token, according to a standard procedure – – Multiple RA per region or user domain should exist If a central identity repository exists, then national-wide RA should also exist 25

University of the Aegean

Information dissemination

 Key distribution – By personal correspondence (private) and by publicly accessible repositories (public)  Specific provision for the self-signed CA certificates distribution – The maintenance of the Certification Trust Lists (CTL) should be done on a per-sector basis 26

Value-added Certification Services

University of the Aegean  Time-stamping  Confidentiality  Notary  Audit services  Non-repudiation of receipt  Long-lasting data repositories 27

University of the Aegean

Certification Practice Statement

Conformance with IETF RFC-2527 is recommended. It should include, at least: – – CA and RA obligations Subscriber and relying party obligations – – – Addressing community Certificate classes, formats, and profiles Procedures description – – – – Liabilities Value-added services description Interoperability issues Information dissemination procedures 28

University of the Aegean

EU Directive 99/93: Article 8

 CSP should comply with data protection legislation – – – Dissemination of personal PKI information Regulation of lawful access to personal data available to CSP Data security measures specification  Data protection authorities should support public authorities to monitor the CSP privacy policies 29

Conclusion

The result of our study is… an appropriately balanced good-practice guidance for the exploitation of Public Key Infrastructure by the Public Sector University of the Aegean 30