Policy interoperability in electronic signatures Andreas Mitrakas EESSI International event, Rome, 7...
-
Upload
elisha-fitchett -
Category
Documents
-
view
216 -
download
0
Transcript of Policy interoperability in electronic signatures Andreas Mitrakas EESSI International event, Rome, 7...
![Page 1: Policy interoperability in electronic signatures Andreas Mitrakas EESSI International event, Rome, 7 April 2003.](https://reader030.fdocuments.in/reader030/viewer/2022032517/56649c8a5503460f9494474c/html5/thumbnails/1.jpg)
Policy interoperability in electronic signatures
Andreas Mitrakas
EESSI International event, Rome, 7 April 2003
![Page 2: Policy interoperability in electronic signatures Andreas Mitrakas EESSI International event, Rome, 7 April 2003.](https://reader030.fdocuments.in/reader030/viewer/2022032517/56649c8a5503460f9494474c/html5/thumbnails/2.jpg)
Agenda
• Interoperability in 1999/93/EC
• Policy interoperability
• Format interoperability
• Content interoperability
• Aspects of Policy architecture
![Page 3: Policy interoperability in electronic signatures Andreas Mitrakas EESSI International event, Rome, 7 April 2003.](https://reader030.fdocuments.in/reader030/viewer/2022032517/56649c8a5503460f9494474c/html5/thumbnails/3.jpg)
Scope of interoperability
• Policy interoperability is an issue broader than electronic signatures since it is often be linked to the underlying transaction
• Policy interoperability in electronic signatures can be addressed by:
• using international standards (e.g.: IETF)
• using European standards (e.g.: EESSI deliverables)
• using specific bilateral agreements
• Adhering to common operational rules
• etc
Standards OR agreement interoperability
![Page 4: Policy interoperability in electronic signatures Andreas Mitrakas EESSI International event, Rome, 7 April 2003.](https://reader030.fdocuments.in/reader030/viewer/2022032517/56649c8a5503460f9494474c/html5/thumbnails/4.jpg)
Objective for policy interoperability
• Policy is used to adapt legal and business requirements in a particular operational context
• The objective for policy interoperability is to ensure the policy and liability conditions across multiple electronic signature infrastructures to establish Trust
• Equivalence must be established at the:• Technical
• Organisational/procedural
• Legal level
Liability rules + Policy limitations Limits of Trust
![Page 5: Policy interoperability in electronic signatures Andreas Mitrakas EESSI International event, Rome, 7 April 2003.](https://reader030.fdocuments.in/reader030/viewer/2022032517/56649c8a5503460f9494474c/html5/thumbnails/5.jpg)
Interoperability
• Interoperability has become necessary to deliver e.g. trusted public services in the field of e.g. tax and customs, social security, exchanges between administrations etc.
• Interoperability and standards development are a priority for government and vendors
• It is further required to enhance application interoperability through:
• Specific rules in electronic document exchange to render electronic signature enforceable
(Policy) interoperability necessary for EU harmonisation
![Page 6: Policy interoperability in electronic signatures Andreas Mitrakas EESSI International event, Rome, 7 April 2003.](https://reader030.fdocuments.in/reader030/viewer/2022032517/56649c8a5503460f9494474c/html5/thumbnails/6.jpg)
Directive 99/93/EC
![Page 7: Policy interoperability in electronic signatures Andreas Mitrakas EESSI International event, Rome, 7 April 2003.](https://reader030.fdocuments.in/reader030/viewer/2022032517/56649c8a5503460f9494474c/html5/thumbnails/7.jpg)
Interoperability in 99/93/EC I
• 99/93/EC aims at harmonising the internal market and sets out interoperability objectives
• Coherence with existing international standards• IETF
• European standardisation
• Privacy Protection (art. 8)
Electronic signatures shall not make data mining easier!
Pseudonyms are explicitly permitted
![Page 8: Policy interoperability in electronic signatures Andreas Mitrakas EESSI International event, Rome, 7 April 2003.](https://reader030.fdocuments.in/reader030/viewer/2022032517/56649c8a5503460f9494474c/html5/thumbnails/8.jpg)
Interoperability in 99/93/EC II
• EU Mutual recognition (art. 5)• A common framework of technical standards has been
developed by CEN/ISSS and ETSI in the EESSI framework
• 99/93/EC refers to such standards
• Multilateral co-operation among supervising authorities
• Legal relevance (art. 5)• Advanced signatures, created with a Secure signature
Creation Device for which a Qualified Certificate has been issued, are equal to handwritten signatures (5.1)
• To other legal relevance cannot be denied in principle
![Page 9: Policy interoperability in electronic signatures Andreas Mitrakas EESSI International event, Rome, 7 April 2003.](https://reader030.fdocuments.in/reader030/viewer/2022032517/56649c8a5503460f9494474c/html5/thumbnails/9.jpg)
Policy Aspects
![Page 10: Policy interoperability in electronic signatures Andreas Mitrakas EESSI International event, Rome, 7 April 2003.](https://reader030.fdocuments.in/reader030/viewer/2022032517/56649c8a5503460f9494474c/html5/thumbnails/10.jpg)
CP and CPS
• Typical electronic signature doctrine foresees: • A general framework for a CP & a CPSs for CAs and PKIs
• A checklist of topics to be covered in a certificate policy definition or a CPS
• Level of trust in a certificate depends on factors such as:• CA Practices to verify the identity of subjects’ identity
• CA’s operating policy, procedures, and security controls
• Subject’s obligations (e.g., to protect private key, revoke cert when compromised etc.)
• Warranties and obligations of the CA (e.g., warranties & limitations on liability)
![Page 11: Policy interoperability in electronic signatures Andreas Mitrakas EESSI International event, Rome, 7 April 2003.](https://reader030.fdocuments.in/reader030/viewer/2022032517/56649c8a5503460f9494474c/html5/thumbnails/11.jpg)
Certificate Policy
• A Certificate Policy (CP) is a named set of rules that indicates the applicability of a certificate to a particular community and/or class of application with common security requirements
• High level document that describes the objectives of a PKI
• It refers to a group of domains rather than a single domain alone
• It is normative in a way that describes “what” to address in a PKI
• A Policy could be the scope of an application domain rather than a PKI domain
• Scope of the CP is to ascertain interoperability (if that is the goal)
• Hence a standardised format makes good sense (e.g. RFC 2527)
![Page 12: Policy interoperability in electronic signatures Andreas Mitrakas EESSI International event, Rome, 7 April 2003.](https://reader030.fdocuments.in/reader030/viewer/2022032517/56649c8a5503460f9494474c/html5/thumbnails/12.jpg)
Certification Practice Statements (CPSs)
• A CPS is a detailed description of practices used by a CA to issue and manage certificates published by the CA
• According to American Bar Association (ABA) Digital Signature Guidelines,
• “a CPS is a statement of the practices which a CA employs in issuing and managing certificates”
• RFC 2527 gives a framework to support authors of CPs or CPS’
![Page 13: Policy interoperability in electronic signatures Andreas Mitrakas EESSI International event, Rome, 7 April 2003.](https://reader030.fdocuments.in/reader030/viewer/2022032517/56649c8a5503460f9494474c/html5/thumbnails/13.jpg)
CPS content
• CPS is the main source of information on the provision of a CAs public and/or private certification services and related procedures
• User must view, read and accept the CPS prior to applying for a cert -- Is that real?
• CPS describes in great detail the practices and procedures it uses for issuing and managing certificates
• A CPS could be reviewed and audited periodically by a recognized auditor
![Page 14: Policy interoperability in electronic signatures Andreas Mitrakas EESSI International event, Rome, 7 April 2003.](https://reader030.fdocuments.in/reader030/viewer/2022032517/56649c8a5503460f9494474c/html5/thumbnails/14.jpg)
RFC 2527 Update
![Page 15: Policy interoperability in electronic signatures Andreas Mitrakas EESSI International event, Rome, 7 April 2003.](https://reader030.fdocuments.in/reader030/viewer/2022032517/56649c8a5503460f9494474c/html5/thumbnails/15.jpg)
Updated draft
• RFC 2527
• Describes a dynamic Certificate Policy Framework
• Encompasses experience from • application of the Framework since 1999
• PKI application
• better address legal requirements
• It also• Explains CP and CPS roles and differences better
• Explains better that framework can apply to all PKI entities: CA, RA, Repository, Subscribers, Relying Parties, Others
![Page 16: Policy interoperability in electronic signatures Andreas Mitrakas EESSI International event, Rome, 7 April 2003.](https://reader030.fdocuments.in/reader030/viewer/2022032517/56649c8a5503460f9494474c/html5/thumbnails/16.jpg)
Evolution
• RFC 2527:
• Supports managed electronic signature policies
• Provides an education and training tool on electronic signature policies
• Shapes electronic signature policies to influence the growth of business and technology
• Is subjected to periodic review and updating
• Is a tool to develop and maintain electronic signature policies with a specific application domain or user community
![Page 17: Policy interoperability in electronic signatures Andreas Mitrakas EESSI International event, Rome, 7 April 2003.](https://reader030.fdocuments.in/reader030/viewer/2022032517/56649c8a5503460f9494474c/html5/thumbnails/17.jpg)
![Page 18: Policy interoperability in electronic signatures Andreas Mitrakas EESSI International event, Rome, 7 April 2003.](https://reader030.fdocuments.in/reader030/viewer/2022032517/56649c8a5503460f9494474c/html5/thumbnails/18.jpg)
Source
EU Directive 1999/93/EC “A Community Framework for Electronic Signatures”
Annex II: Requirements for CAs issuing qualified certificates
![Page 19: Policy interoperability in electronic signatures Andreas Mitrakas EESSI International event, Rome, 7 April 2003.](https://reader030.fdocuments.in/reader030/viewer/2022032517/56649c8a5503460f9494474c/html5/thumbnails/19.jpg)
ETSI Policy Requirements for CAs Issuing Qualified Certificates
ETSITS 101 456
Directive 99/93/EC Annex II“Requirements forCertification Service Providers”
CA PracticesPolicy Standardse.g. RFC 2527,ANSI X9.29
EuropeanCSPAccreditationSchemes
CA QualifiedCertificate
Policy
input
ETSITS 101 042
CA genericCertificate
Policy
![Page 20: Policy interoperability in electronic signatures Andreas Mitrakas EESSI International event, Rome, 7 April 2003.](https://reader030.fdocuments.in/reader030/viewer/2022032517/56649c8a5503460f9494474c/html5/thumbnails/20.jpg)
Qualified Certificate Policy framework
• Objectives
• QCP for CAs issuing qualified certificates to the public
• QCP for CAs issuing qualified certificates to the public requiring a secure signature creation device
• Framework for the definition of other CPs
• Set out objectives for CSPs that meet the requirements of the 99/93/EC and enhance interoperability
![Page 21: Policy interoperability in electronic signatures Andreas Mitrakas EESSI International event, Rome, 7 April 2003.](https://reader030.fdocuments.in/reader030/viewer/2022032517/56649c8a5503460f9494474c/html5/thumbnails/21.jpg)
Issues of policy architecture
![Page 22: Policy interoperability in electronic signatures Andreas Mitrakas EESSI International event, Rome, 7 April 2003.](https://reader030.fdocuments.in/reader030/viewer/2022032517/56649c8a5503460f9494474c/html5/thumbnails/22.jpg)
Interoperability models
Policy is essential for subscribers, relying parties and interoperability
Hierarchical model accepting subordination to another CAs policy
Cross-certificationCostly administrationAbsence of comprehensive standardsMultiple negotiations, varying contracts and agreements
Peer to peer trustSingle contracting partyWidely accepted and agreed standardsCustomizable chain of Trust
![Page 23: Policy interoperability in electronic signatures Andreas Mitrakas EESSI International event, Rome, 7 April 2003.](https://reader030.fdocuments.in/reader030/viewer/2022032517/56649c8a5503460f9494474c/html5/thumbnails/23.jpg)
Policy driven interoperability
Fr CAIR CABologna
CARoma CAIL CA Sp CAUK CA
RootSign
Applicant
PAN-EUROPEAN CertificationAuthority
UKDirectory
ILDirectory
IRDirectory
SpDirectory
RomaDirectory
BolognaDirectory
FrDirectory
UK OCSPResponder
IR OCSPResponder
IL OCSPResponder
Sp OCSPResponder
RomeOCSP
Responder
BolognaOCSP
Responder
Fr OCSPResponder
Policy driven environment for•Accreditation
•Cross recognition