CEN TC224 esign activities ETSI Security workshop 2013/01/16 Beatrice PEIRANI, GEMALTO Expert ETSI STF 425, CEN WG16
Agenda Introduction EU Mandate M/460 EU regulation on electronic trust services CEN TC224 Perspectives 2
Agenda Introduction EU Mandate M/460 EU regulation on electronic trust services CEN TC224 Perspective 3
European Directive 1999/93/EC Motivation Electronic communication and commerce necessitate electronic signatures and related services for data authentication. Divergent rules with respect to legal recognition of electronic signatures; accreditation of certification-service providers in the Member states. Interoperability of electronic signature products should be promoted. Ancillary services should be considered. The European Directive 1999/93/EC «On a community framework for electronic signatures» Ensures legal recognition of electronic signatures. Equivalence with hand-written signature. Defines security and quality requirements for different levels of electronic signature. The Commission Decision 2003/511/EC on generally recognized standards for e-signature products lists in Annex: CWA 14167-1 (system security requirements for CSP) CWA 14167-2 (PP for crypto module for CSP signing operations) CWA 14169 (PP for SSCD) Two standardization groups involved: ETSI and CEN (within EESSI) 4
Agenda Introduction EU Mandate M/460 EU regulation on electronic trust services CEN TC224 Perspective 5
Digital Agenda for Europe EC Public consultation on electronic identification, authentication and signature (March-April 2011) Stresses need for standardization. New drivers for esignature and ancillary services: Public e-procurement Services Directive Business processes automation (invoicing, transferring documents) eid cards infrastructure European Mandate M/460 on Information and Communication Technologies applied to Electronic Signatures (launched end 2010) Decision to revise the Directive 1999/93/EC of the European Parliament and of the Council on a Community framework for electronic signatures 6
EC Mandate 460: objectives and organization Given to CEN TC224 and ETSI ESI 2011-2014 Objective: simplify the use of European esignature Standards: create a rationalized framework. provide guidance helping to implement esignature in an interoperable way. introduce usage guidelines & be more business oriented fill in details where existing standards have been too open to interpretation. update standards and develops missing standards See http://www.e-signatures-standards.eu 7
Rationalised Framework: global view Trust Service Status (Lists) Providers Testing Compliance Interoperability & 6 functional areas 5 types of documents TSPs supporting esignature Signature Creation & Validation Trust Application Service Providers TSP Certificates TSSP SGSP SVSP Registered email Data Preservation Testing Compliance & Interoperability Testing Compliance & Interoperability Testing Compliance & Interoperability CAdES XAdES PAdES ASiC Testing Compliance & Interoperability Testing Compliance Interoperability & Testing Compliance & Interoperability Testing Compliance Interoperability & Testing Compliance & Interoperability Testing Compliance Interoperability & Testing Compliance Interoperability & Testing Compliance Interoperability & Testing Compliance Interoperability & Testing Compliance & Interoperability Testing Compliance Interoperability & Signature Creation & other related Devices SSCD Testing Compliance Interoperability & Testing Compliance Interoperability & Other SCDs Testing Compliance Interoperability & Cryptographic Suites Suites Requirements 8
Agenda Introduction EU Mandate M/460 EU regulation on electronic trust services CEN TC224 Perspective 9
New regulation 2012, June 4th http://ec.europa.eu/information_society/policy/esig nature/eu_legislation/regulation/index_en.htm Proposal for a regulation of the European Parliament and of the Council on trust and confidence in electronic transactions in the internal market (Electronic Trust Services Regulation) To replace the European Directive on Electronic Signature 1999/93/EC Enlarged scope From signature to identification and trust services 10 Different application From directive to regulation
Agenda Introduction EU Mandate M/460 EU regulation on electronic trust services CEN TC224 General information Perspective 11
CEN/TC 224 General information Title Personal identification, electronic signature, cards and their related systems and operations History Established on 1989 by a CEN Technical Board decision BTC 193/1989. Referring to the new program of work including CEN/ISSS Workshop on electronic signature CWAs on 2005-04-14/15. Launching of new TC224 WGs on 2005. 12 One of the IT Technical Committee of CEN Production of EN and TS Support of European Policies Manufacturers, operators of various sectors, providers of applications and security, testing companies, public authorities, consumers Intersectorial Technical Committee
CEN/TC224: past and present Over 60 standards published 1990 General card 2000 2010 characteristics 4/0* Telecom ICC & Terminal 8/0* Intersector Electronic Purse 5/0* Health cards 4/0* Transport data elements & applications 5/2* User Interface 6/1* European Citizen Cards 4/5* Electronic Signature 2/19* Biometrics 1/2* 13 *X/Y - X: Published documents still active - Y: Drafts in progress (revision or new documents)
Working groups of CEN/TC 224 WG 6 User Interface WG 11 Surface Transport Applications WG 15 European Citizen Card J. JONES UK K. PHILIPP GERMANY M. FAHER FRANCE WG 16 Smart cards used as secure signature creation devices WG 17 Protection Profiles in the context of e-sign WG 18 Interoperability of Biometrics recorded data G. MEISTER GERMANY C. SUTTER GERMANY N. DELVAUX FRANCE 14
Agenda Introduction EU Mandate M/460 EU regulation on electronic trust services CEN TC224 Working groups involved in IAS Perspective 15
Signature context EN-14167 TSP CA, TSA Certificates CRL TST Advanced electronic signature SCA /SVA digest Cryptographic signature SSCD Private Key (M) Certificate (O) EN-14170 EN-14169 EN-14890 16
CEN/TC 224 WG17 Protection Profiles in the context of electronic signatures History CWA 14169 (published in 2004) CWA 14167 (published in 2004) CWA 14170 (published in 2004) 17
Global view on WG17 on-going work Device Application System PP 14169 (SSCD): Protection profiles for secure signature creation device Starting from CWA 14169 PP EAL 4+ AVA_VLA.4 (CC v2.3), BSI certified SCD/SVD generation, SCD storage, signature-creation. Core PPs + extensions for TC EN 419211 PP DAUTH: Security requirements for device for authentication Starting from EN 16248 CEN review New needs : Evaluation/Certification of PP (EAL4+ AVA_VAN.5) EN 419251 PP SCA/SVA: Security requirements for Signature Creation Applications and Signature Verification applications. Starting from CWA 14170 for SCA. CEN review. New needs: Evaluation/Certification of PP (EAL 4) EN 419111 PP 14167: Security Requirements for Trustworthy Systems Managing Certificates for Electronic Signatures Starting from CWA 14167 PP EAL4+ AVA_VLA.4 (CC v2.3), ANSSI certification in progress Registration, certificate generation, dissemination, revocation management and revocation status New needs: move from TS to EN EN 419221 PP Time-Stamping: Protection profile for Trustworthy systems supporting time stamping Starting point will be French ANSSI PP-SH-CCv3.1 (EAL3+ AVA_VAN.5, 2008) EN 419231 18
CEN/TC 224 WG16 EN 14890 «Application Interface for smart cards used as SSCD The smart card used as SSCD shall be able to produce Qualified electronic signatures. support the concrete implementation of the European legal framework for electronic signatures. be the base standard for cards personalized with Identification, Authentication and Digital Signature (IAS) services. The standard shall be compliant with other European standards developed in the framework of the EU Directive 1999/93. History CWA 14890 (CEN ESign Area K, published in 2004) EN 14890 (CEN TC 224 WG16, published in 2008) New EN 14890 planned for publication in 2013-2014 (draft delivery Q3 2011) 19
EN 14890: Crypto toolbox Basic services Digital signature service Certificates storage Key generation User verification Device authentication One symmetric protocol (Key transport protocol ) 2 asymmetric protocols (privacy protocol, meac protocol) 1 protocol for Password-based authentication (PACE v2) Secure Messaging Additional services Encryption key decipherment Client/server authentication Role authentication Signature verification Privacy context functions (Age verification, Restricted Identification, mera-based eservices with TTP) Consistency with ISO 7816-4 The basics for European Citizen Card (ECC TS 15480) 20
CEN/TC 224 WG15 TS 15480 European Citizen Card (ECC) First delivery in 2007 for part 1 and part 2 Technical Standard in conformance to ISO 7816 EN 14890 Services and additional Security Architecture according to ISO/IEC 7816-4 suitable for Citizen Cards Identity Cards Combined Cards 21
CEN/TC 224 WG15: ECC series 22 ECC-1 Physical, electrical and transport protocol (revision) Published on Nov. 2012 (published first on June 2007) ECC-2 Logical data structures and security services (revision) Published on July 2012 (published first on June 2007) ECC-3 ECC interoperability using application interface (revision) (Published first on 2010) ECC-4 Recommendations for European Citizen Card issuance, operation and use Published first on April 2011 ECC-5 General introduction Just starting Formal Vote (till Jan 2013), first TS publication planned on April 2013
Agenda Introduction EU Mandate M/460 EU regulation on electronic trust services CEN TC224 Perspective 23
Perspective A lot of work has been done Many standards available RF document But a lot of work still to be done M/460 Phase 2 Impact of Regulation Enlarged scope to IAS 24
Any question? Thanks! beatrice.peirani@gemalto.com