telia research ab györgy endersz 2001-05-08 1 european electronic signature standardisation...

Telia Research ABGyörgy Endersz

2001-05-08

1

European Electronic Signature Standardisation Initiative

EESSI Budapest Seminarat the Hungarian Communication Authority

2001 05-08

György Endersz, Telia Research AB, SwedenChairman ETSI ESI Working Group

[email protected]

Deliverables and Current Activities


2001-05-08

2

EESSI SG

EESSI: European Electronic Signature Standardization Initiative

European Telecommunications Standards Institute

Industry and business, assisted by European standard bodies


2001-05-08

3

EESSI Program Implementation Phase 2 (2000) completed 2Q2001 Phase 3 (2001) deliverables to be published by the end

of 2001

ETSI ESI Working Group 40-50 Participants, funded Specialist Task Force,

STF155, 178 Result: ETSI Technical Specifications Chairman: [email protected]

CEN/ISSS E-SIGN Workshop 50-70 participants, funded Expert Teams Result: CEN Workshop Agreements Chairman: [email protected]


2001-05-08

4

Directive “on a Community framework for electronic signatures, 13 Dec ‘99”

Ensures legal recognition of electronic signatures

Security and quality requirements in Annexes I-III

Qualified certificates+secure signature-creation device+

advanced signatures hand-written signature

Other signatures recognised as well (Art 5.2)

Voluntary accreditation of service providers (tScheme,

TTP.NL, Italy, Austria, Germany, Spain….)

Technology-neutral framework

To be in place within 18 months


2001-05-08

5

Annexes of the Directive

Annex I: Requirements for qualified certificates

Annex II: Requirements for certification-service-providers

issuing qualified certificates

Annex III: Requirements for secure signature-creation devices

Annex IV: Recommendations for secure signature verification


2001-05-08

6

Strategy and Work Process

Focus on Directive Annexes and interoperability

Market driven

Open, transparent and co-operative

Re-use of existing work

Funded support for timeliness

European with global ambition


2001-05-08

7

Roadmap of EESSI Standards

Signature creation process and environment (A.III)

Signature valida-tion process and environment - A.IV

Signature formatand syntax(Advanced ES)

Creationdevice A.III

Requirements for CSPs - A.II

Trustworthy system- A.II.f

Certification Service Provider

User/signer Relying party/verifier

CEN E-SIGN

ETSI ESI

Qualified certificate - A.I

Time Stamp


2001-05-08

8

Phase 2 Deliverables

Published in 4Q2000:

Policies for CSPs, ETSI TS 101 456

Profile for Qualified Certificates, ETSI TS 101

862

Electronic Signature Formats, ETSI TS 101 733

Target: Annex I-IV requirements and interoperability


2001-05-08

9

Deliverables...

Published in 1-2Q2001:

Security Requirements for Trustworthy Systems CEN/ISSS CWA

Security Requirements for SSCDs,

CEN/ISSS CWA

Signature Creation Process and Environment

CEN/ISSS CWA

Signature Verification Process and Environment

CEN/ISSS CWA


2001-05-08

10

Deliverables...

Time Stamping Profile

ETSI TS 101 861, waiting for IETF RFC number of mother document, by early 1Q2001

Conformity Assessment Guidance, Part 1

CEN/ISSS CWA


2001-05-08

11

Requirements for Certification Service Providers (CSPs) Functional, quality and security requirements expressed

in Certificate Policy and security controls

Consistent requirements to provide the basis for implementation, audit and approval

Current work responds to Directive requirements for CSPs issuing Qualified Certificates, Annex II

Requirements for other class(es) to meet market needs


2001-05-08

12

Baseline Requirements• Security Management• PKI• Organisational

Obligations & Liability

Issuing CSP

Relying PartySubscriber

RADirectory

Qualified Certificate Policies- QCP Public- QCP Public + SSCD- Framework for other QCPs


2001-05-08

13

Trustworthy Systems for CSPs

Technical security requirements for products and technology components used by CSPs to create certificates for the use of advanced signatures.

To meet security requirements stated in the work area „Requirements for CSPs“. Seek consistent overlap of specifications.

The use of FIPS 140-1 is considered for the cryptographic module requirements until European specifications become available (Phase 3 action).


2001-05-08

14

Profile for Qualified Certificate (QC)

Standard for the use of X.509 public key certificates as qualified certificates

European profile based on current IETF PKIX draft as required by Annex I of the Directive


2001-05-08

15

Qualified Certificate Statements

The profile uses, as an option, the private extension defined in the IETF QC profile, to include the following explicit statements of the Issuer:

Statement claiming that the certificate is issued as a Qualified certificate. OID will point to relevant policy standard

Statement regarding limits on the value of transactions for which the certificate can be used

Statement regarding the retention time of identification data


2001-05-08

16

SSCD: the trusted element at the user

EU-directive requires SSCD to be evaluated and „confirmed“ by national bodies

A specific Common Criteria Protection Profile will address appropriateness

It reflects the requirements regulated in Annex III of the signature Directive

It is aimed to remain technology neutral as long as security is not impaired

Use of SSCD to be represented in QC

SSCD: Secure Signature Creation Device


2001-05-08

17

The Scenario

SSCD

SSCD

HI

HI

I/O

I

trusted path

HI

I/O

trusted

trusted

Addressed by PPRerquirements toenvironment

SSCA Secure signature creation application

SSCDGA Secure signature creationdata generation application

Inst

alla

tion

Ope

ratio

n

SCO

PE O

F PP

TOE

TOE

The SSCD is the device „getting in touch“ with the private key.

The SSCD comprises the whole lifecycle.

The SSCD assumes an appropriate environment for its application.

Trusted paths are offered to meet security requirements.


2001-05-08

18

Electronic Signature Formats

•Defines interoperable syntax and encoding for signature, validation data and signature policy. Builds on exiting PKI and digital signature standards

•Format part approved by the IETF as an Informational RFC, the Signature Policy part as an IETF Experimental Protocol

•Co-operative implementation project in preparation to validate standard and provide free software

•Aim: to harmonise development with XML signatures and create XML version (Phase 3) action.


2001-05-08

19

.

Id-of signingCertificate att

DigitalSignature

Elect. Signature (CMS with signed attributes)

SignaturePolicy ID att

Signing timeAttribute

Content TypeAttributes

MessageDigest

Attributes

ES = The ETSI Electronic Signature as generated by the signer.

ETSI Electronic Signature

Signers Structures


2001-05-08

20

. ES-C

Other SignedAttributes

DigitalSignature

ES-TElect. Signature (CMS signed attributes)

SignaturePolicy ID att

UnsignedAttribute:Completecertificate

andrevocationreferences

Unsignedattribute:

Timestampover digitalsignature

ES-T = The ETSI Timestamp Electronic Signature. Timestamp attribute may be absent, if secure records prove the time of the ESES-C = The ETSI complete Electronic Signature with references to all information needed to check its validity

ETSI ES-T and ES-C

Verifiers Structures

Unsigned attributes added for long term verification


2001-05-08

21

Format and Protocol for Time Stamp

Profile based on current IETF PKIX draft

Time stamps used for signature validation, e.g. in ES 201 733 Electronic Signature Formats

Harmonisation of ISO-IETF activities: IETF draft may become a compatible subset of the ISO specifications


2001-05-08

22

Roadmap of Phase 3 Activities (2001)

Signature creation process and environment

Signature valida-tion process and environment

Signature format *and syntax in XML

SignatureCreationdevice *

AlternativeRequirements for CSPs *

Trustworthy Systems *

Certification Service Provider

User/Signer

Relying Party/Verifier

Qualified certificate Time Stamping Format&Protocol

Time Stamping Authority

Requirements for TSAs *

* Phase 3

CA status and validation by RP *


2001-05-08

23

EESSI Phase 3 Activities (2001)

CEN/ISSS: Security Requirements for Trustworthy systems

- Finalisation of the General Security Requirements - Protection Profile for Cryptographic Modules used by CSPs

Security requirements for Signature Creation Devices in different environments and types of use

- Guidance for writing Security Targets for different types of SSCDs, such as smart cards, mobile

phones and PDAs - Security requirements for SCDs in e-commerce

using 5.2 signatures


2001-05-08

24

Phase 3 Activities…..

Security Requirements for Cryptographic Modules

- Common Criteria PP to protect the CA private key and the certificate signing process

- International harmonisation: the aim is to liase with NIST

- CC MRA: Arrangement on the Mutual Recognition of CC Certificates in the Field of IT Security


2001-05-08

25

Phase 3 Activities…..

ETSI ESI WG: Security management and certificate policy for

CSP issuing Trusted Time-Stamps

Requirements for CSPs issuing certificates, which meet classes of requirements different from those for qualified certificates

Electronic Signature syntax and encoding formats in XML

Technical aspects of signature policies

Harmonised provision of CSP status information


2001-05-08

26

CSP status information for Relying Parties

National schemes include procedures to make such information available, e.g. CSP not able to fulfill obligations, failed audit, etc. Gray zone between accreditation/supervision and technical interoperation

A framework and simple formats and mechanisms are needed to store and retrieve such information so as to become available (on-line) over domain borders

Work item to assess infrastructure and interoperability requirements and suggest solutions.

Co-operation with national schemes via EESSI and ESI membership


2001-05-08

27

CA (TSP) Status information

Signature creation process and environment

Signature valida-tion process and environment

SignatureCreationdevice *

User/Signer

Relying Party/Verifier

Qualified certificate

CA status and validation by RP

CA

CA status info provider


2001-05-08

28

CA (TSP) Status information

Items to harmonise regarding status info:

• Content and format

• Distribution, storage and management

• Technical means to find, access and validate information

• Measures to ensure trust and security


2001-05-08

29

Phase 3 Activities…….

Algorithm Group

Expert group providing guidance on cryptographic algorithms and parameters in EESSI standards.Regular review and maintenance of specifications

Reference implementation of ES Format standard

Funded activity with the aim of validating the standards ES-format, QC-profile and Time Stamp. Promote applications by releasing source code.


2001-05-08

30

Phase 3 Activities……

Currently discussed

•Use of smart cards for creating electronic signatures

• Requirements for CSPs issuing attribute certificates

•Signature policy for common business practices


2001-05-08

31

International Perspectives

Recognition of conformance to SSCD requirements CC MRA: Arrangement on the Mutual

Recognition of CC Certificates in the Field of IT Security

Similar ambition with Trustworthy Systems

Cross-recognition of “certification policy”Assessment of policy mapping between US

FederalPKI and ETSI-EESSI requirements

Harmonization of interoperability standardsUse of existing standards (ISO, IETF), liaisons

under development (W3C, WAP Forum, EDI/XML) and submissions to IETF


2001-05-08

32

References

ETSI:http://www.etsi.org/sec/el-sign.htmSign up from Web-site to open El Sign mailing

list

CEN:http://www.cenorm.be/isss/workshop/e-sign

EESSI: http://www.ict.etsi.org/eessi/EESSI-

homepage.htm

telia research ab györgy endersz 2001-05-08 1 european electronic signature standardisation...

Documents

electronic signature

interoperability slide

environment cenisss

etsi ts

signature valida tion

qualified certificates

quality requirements

global ambition slide