250 likes | 610 Views
EESSI European Electronic Signature Standardisation Initiative Implementing Electronic Signature. EESSI Charter. Electronic Signature Directive is providing a common EU framework for electronic signatures (1993/93/EC)
E N D
EESSIEuropean Electronic Signature Standardisation Initiative Implementing Electronic Signature August 2002
EESSI Charter • Electronic Signature Directive is providing a common EU framework for electronic signatures (1993/93/EC) • Industry, with the assistance of European Standards Bodies, to provide an agreed framework for an open, market-oriented implementation of the Directive • EESSI put in place to co-ordinate this task (ICT-SB Dec. 98) August 2002
EESSI Objectives • Analyse needs for standards in support of minimum essential legal requirements as stated by the Directive • Assess available standards and current initiatives at national, European and international levels • Set up and implement a Programme of Work, built on international co-operation August 2002
Directive highlights • Legal recognition of electronic signatures • Technology neutral • Free flow of Products and Services • Excludes prior authorisation or licensing scheme for Certification Service Providers • Mandates supervision scheme for CSPs • Calls for monitoring of Voluntary Accreditation Scheme August 2002
Annexes of the Directive • Annex I: Requirements for qualified certificates • Annex II: Requirements for certification-service-providers issuing qualified certificates • Annex III: Requirements for secure signature-creation devices • Annex IV: Recommendations for secure signature verification August 2002
Proposed Classes of Electronic Signatures August 2002
Framework forimplementation Security/Quality level Signature Creation Device Certificate Policy Electronic Signature Syntax Trustworthy System Signature with long validity Qualified Electronic Signature Signature for limited value transactions August 2002
EESSI Organisation Steering Committee • Standard Bodies and Consensus Bodies involved in standardisation: CEN, ETSI, ISO, ECBS, EEMA, EURESCOM • Market Players: Bull, Globalsign, iD2, BT, ACE • Public Authorities and Consumers Rep’s: BSI (D), PRC (FIN), AIPA (I), DSTI (F), ECP.NL (NL), ANEC • Commission as observer: DG Enterprise, DG Information Society, DG Internal Market Expertise activity as required August 2002
EESSI Structure EESSI/SG European Telecommunications Standards Institute Industry and business, assisted by European standard bodies August 2002
Base Line for Action Capitalise on European & International activities • ETSI TC SEC, ISO/JTC1/SC27, IETF-PKIX, W3C, EURESCOM • EEMA/ECAF, ICC, ABA, ILPF • UNCITRAL Model of Law, AGB • European Projects: IST and ISIS programmes • National activities in Germany (BSI, INDI), Nordic Countries (SEIS, SAT, FDS), Italy (AIPA), Austria, Spain (FESTE), Netherlands (TTP.NL), UK (tScheme), ... August 2002
EESSI Programme Implementation • Standardization work programme • Phase 1 (work programme definition) completed 3Q1999 • Phase 2 (essential requirements for the Directive) completed • 2Q2002 • Phase 3 (requirements for different classes of electronic signature) to be completed by the end of 2002 • Phase 4 (additional requirements) to be performed in • 2002-2003 August 2002
EESSI Programme Implementation • Use of the existing standardization technical groups • CEN/ISSS E-SIGN Workshop • 30+ participants, funded Expert Teams • Deliverables: CEN Workshop Agreements (CWA) • ETSI ESI Technical Committee • 20+ Participants, funded Specialist Task Force • Deliverables: ETSI Technical Specifications (ETSI TS) • and ETSI Technical Reports (ETSI TR) • Creation of the ALGO group • Expert group providing guidance on cryptographic • algorithms and parameters in EESSI standards August 2002
Roadmap of Phase 2 EESSI Standards Certification Service Provider Trustworthy system- A.II.f Requirements for CSPs - A.II Time Stamp Qualified certificate - A.I Signature valida-tion process and environment - A.IV Signature creation process & environment (A.III) Signature format and syntax (Advanced ES) Creationdevice A.III CEN E-SIGN ETSI ESI Relying party/verifier User/signer August 2002
Phase 2 Deliverables • Target: Directive Annexes I-IV requirements and interoperability Published in 4Q2000: • Policies for Certification Service Providers, ETSI TS 101 456 (updated 2Q2002) • Profile for Qualified Certificates, ETSI TS 101 862, (updated 2Q2001) • Electronic Signature Formats, ETSI TS 101 733, (also published as 2 IETF RFC) (updated 1Q2002) August 2002
Deliverables….. Published in 3Q2001: • Security Requirements for SSCDs (EAL4), CWA 14168 • Signature Creation Process and Environment, CWA 14170 • Signature Verification Process and Environment, CWA14171 • Conformity Assessment Guidance, CWA 14172 – Parts 1-2 • Time Stamping Profile, ETSI TS 101 861 (based on IETF RFC) (updated 1Q2002) August 2002
Deliverables... Published in 4Q2001: • Security Requirements for Trustworthy Systems, CWA 14167-1 • Conformity Assessment Guidance, CWA 14172 – Parts 3-5 Published in 1Q2002: • Cryptographic Modules for CSP (MCSO-PP), • CWA 14167-2 • Security Requirements for SSCDs (EAL4+), CWA 14169 August 2002
Roadmap of Phase 3 Activities (2001) Certification Service Provider TimeStamping Authority Requirements for TSAs * Alternative Requirements for CSPs * Trustworthy Systems * CA status and validation by RP * Time Stamping Format&Protocol Qualified certificate Signature valida-tion process and environment Signature format * and syntax in XML Signature Creationdevice* Signature creation process and environment * Phase 3 Relying Party/Verifier User/Signer August 2002
Phase 3 Deliverables Published in 1Q2002: • Guidelines for the implementation of SSCDs, CWA 14355 • XML Advanced Electronic Signatures, ETSI TS 101 903 • International harmonization of Policy Requirements for CAs issuing Certificates, ETSI TR 102 040 • Signature Policies Report, ETSI TR 102 041 August 2002
Deliverables….. Published in 2Q2002: • Policy Requirements for Time Stamping Authorities, ETSI TS 102 023 • Provision of harmonized Trust Service Provider status information, ETSI TR 102 030 • XML Format for Signature Policies, ETSI TR 102 038 • Policy Requirements for Certification authorities issuing Public Key Certificates, ETSI TS 102 042 August 2002
Deliverables….. • Ongoing work: • Guide on the Use of Electronic Signatures, draft CWA 14365 • Cryptographic Module for CSP Key Generation Services, (CMCKG-PP), draft CWA 14167-3 • Application Interface for Smart cards used as SSCDs, draft CWA • Signature Policy for Extended Business Model draft ETSI TR 102 045 • Maintenance of ETSI Standards from EESSI phase 2 and 3, draft ETSI TR 102 046 • International harmonization and globalization activities, draft ETSI TR 102 047 Publication is foreseen in the second half of 2002 August 2002
Phase 4 Activities New activities are planned in 2002-2003 on the following subjects: • Maintenance of the published specifications • Harmonised provision of TSP status information • Internationalisation of Certificate Policies • Technical Standards for Signature Policies • Policy Requirements for CSPs issuing Attribute Certificates • Technical properties of Advanced Electronic Signatures • Interoperability requirements of smart Cards used as SSCDs • Conformity assessment of SSCDs supporting non Qualified Electronic Signatures • Provision of Certificates status information to Relying Parties August 2002
European perspectives • The evaluation of the EESSI specifications of the EESSI phase 2 deliverables, as answering the requirements set by the Directive has been performed by the Commission • The recognition as Generally Recognized Standards under the Directive of the EESSI phase 2 deliverables answering the requirements set in the annexes, is proposed in a draft Decision prepared by the Commission. The proposal was discussed in the meeting of the Directive Member States committee in July 2002, and generally supported • The publication in the EU OJ of the references to the deliverables produced by EESSI, as providing a proper technical framework for the implementation of the Directive should follow. It will give a positive signal to the market players for the development of products and services complying with the EESSI specifications August 2002
International Perspectives • Recognition of conformance to SSCD requirements CC MRA: Arrangement on the Mutual Recognition of CC Certificates in the Field of IT Security Similar ambition with Trustworthy Systems • Cross-recognition of “certification policy”: Assessment of policy mapping between US Federal PKI and ETSI-EESSI requirements • Harmonization of interoperability standards : Use of existing standards (ISO, IETF), liaisons under development (W3C, WAP Forum, EDI/XML) and submissions to IETF August 2002
EESSI on the Web • http://www.ictsb.org/EESSI_home.htm • More useful references: • ETSI:http://www.etsi.org/esi/el-sign.htm Sign up from Web-site to open El Sign mailing list • CEN:http://www.cenorm.be/isss/workshop/e-sign August 2002