EESSI European Electronic Signature Standardisation Initiative

1
EESSIEuropean Electronic Signature
Standardisation Initiative Implementing
Electronic Signature
2
EESSI Charter

• Electronic Signature Directive is providing a
  common EU framework for electronic signatures
  (1993/93/EC)
• Industry, with the assistance of European
  Standards Bodies, to provide an agreed framework
  for an open, market-oriented implementation
  of the Directive
• EESSI put in place to co-ordinate this task
  (ICT-SB Dec. 98)

3
EESSI Objectives

• Analyse needs for standards in support of
  minimum essential legal requirements as stated
  by the Directive
• Assess available standards and current
  initiatives at national, European and
  international levels
• Set up and implement a Programme of Work, built
  on international co-operation

4
Directive highlights

• Legal recognition of electronic signatures
• Technology neutral
• Free flow of Products and Services
• Excludes prior authorisation or licensing scheme
  for Certification Service Providers
• Mandates supervision scheme for CSPs
• Calls for monitoring of Voluntary Accreditation
  Scheme

5
Annexes of the Directive

• Annex I Requirements for qualified
  certificates
• Annex II Requirements for certification-service
  -providers issuing qualified certificates
• Annex III Requirements for secure
  signature-creation
  devices
• Annex IV Recommendations for secure signature
  verification

6
Proposed Classes of Electronic Signatures
7
Framework for implementation
Security/Quality level
Signature Creation Device
Certificate Policy
Electronic Signature Syntax
Trustworthy System
Signature with long validity
Qualified Electronic Signature
Signature for limited value transactions
8
EESSI Organisation

• Steering Committee
• Standard Bodies and Consensus Bodies involved in
  standardisation CEN, ETSI, ISO, ECBS, EEMA,
  EURESCOM
• Market Players Bull, Globalsign, iD2, BT, ACE
• Public Authorities and Consumers Reps BSI (D),
  PRC (FIN), AIPA (I), DSTI (F), ECP.NL (NL),
  ANEC
• Commission as observer DG Enterprise, DG
  Information Society, DG Internal Market
• Expertise activity as required

9
EESSI Structure
EESSI/SG
European Telecommunications Standards Institute
Industry and business, assisted by European
standard bodies
10
Base Line for Action

• Capitalise on European International activities
• ETSI TC SEC, ISO/JTC1/SC27, IETF-PKIX, W3C,
  EURESCOM
• EEMA/ECAF, ICC, ABA, ILPF
• UNCITRAL Model of Law, AGB
• European Projects IST and ISIS programmes
• National activities in Germany (BSI, INDI),
  Nordic Countries (SEIS, SAT, FDS), Italy
  (AIPA), Austria, Spain (FESTE), Netherlands
  (TTP.NL), UK (tScheme), ...

11
EESSI Programme Implementation

• Standardization work programme
• Phase 1 (work programme definition) completed
  3Q1999
• Phase 2 (essential requirements for the
  Directive) completed
• 2Q2002
• Phase 3 (requirements for different classes of
  electronic
• signature) to be completed by the end of 2002
• Phase 4 (additional requirements) to be
  performed in
• 2002-2003

12
EESSI Programme Implementation

• Use of the existing standardization technical
  groups
• CEN/ISSS E-SIGN Workshop
• 30 participants, funded Expert Teams
• Deliverables CEN Workshop Agreements (CWA)
• ETSI ESI Technical Committee
• 20 Participants, funded Specialist Task Force
• Deliverables ETSI Technical Specifications
  (ETSI TS)
• and ETSI Technical Reports (ETSI TR)
• Creation of the ALGO group
• Expert group providing guidance on cryptographic
  
• algorithms and parameters in EESSI standards

13
Roadmap of Phase 2 EESSI Standards
Certification Service Provider
Trustworthy system- A.II.f
Requirements for CSPs - A.II
Time Stamp
Qualified certificate - A.I
Signature valida-tion process and environment -
A.IV
Signature creation process environment
(A.III)
Signature format and syntax (Advanced ES)
Creationdevice A.III
CEN E-SIGN
Relying party/verifier
ETSI ESI
User/signer
14
Phase 2 Deliverables

• Target Directive Annexes I-IV requirements and
  interoperability
• Published in 4Q2000
• Policies for Certification Service Providers,
• ETSI TS 101 456 (updated 2Q2002)
• Profile for Qualified Certificates, ETSI TS 101
  862,
• (updated 2Q2001)
• Electronic Signature Formats, ETSI TS 101 733,
• (also published as 2 IETF RFC) (updated 1Q2002)

15
Deliverables..

• Published in 3Q2001
• Security Requirements for SSCDs (EAL4), CWA
  14168
• Signature Creation Process and Environment,
  CWA 14170
• Signature Verification Process and Environment,
  CWA 14171
• Conformity Assessment Guidance,
• CWA 14172 Parts 1-2
• Time Stamping Profile, ETSI TS 101 861 (based
  on IETF RFC) (updated 1Q2002)

16
Deliverables...

• Published in 4Q2001
• Security Requirements for Trustworthy Systems,
  CWA 14167-1
• Conformity Assessment Guidance,
• CWA 14172 Parts 3-5
• Published in 1Q2002
• Cryptographic Modules for CSP (MCSO-PP),
• CWA 14167-2
• Security Requirements for SSCDs (EAL4), CWA
  14169

17
Roadmap of Phase 3 Activities (2001)
Certification Service Provider
Time Stamping Authority
Requirements for TSAs
Alternative Requirements for CSPs
Trustworthy Systems
Time Stamping FormatProtocol
CA status and validation by RP
Qualified certificate
Signature valida-tion process and environment
Signature format and syntax in XML
Signature creation process and environment
Signature Creationdevice
Phase 3
Relying Party/Verifier
User/Signer
18
Phase 3 Deliverables

• Published in 1Q2002
• Guidelines for the implementation of SSCDs,
• CWA 14355
• XML Advanced Electronic Signatures,
• ETSI TS 101 903
• International harmonization of Policy
  Requirements for CAs
• issuing Certificates, ETSI TR 102 040
• Signature Policies Report,
• ETSI TR 102 041

19
Deliverables..

• Published in 2Q2002
• Policy Requirements for Time Stamping
  Authorities,
• ETSI TS 102 023
• Provision of harmonized Trust Service Provider
  status
• information, ETSI TR 102 030
• XML Format for Signature Policies,
• ETSI TR 102 038
• Policy Requirements for Certification
  authorities issuing
• Public Key Certificates, ETSI TS 102 042

20
Deliverables..

• Ongoing work
• Guide on the Use of Electronic Signatures,
• draft CWA 14365
• Cryptographic Module for CSP Key Generation
  Services,
• (CMCKG-PP), draft CWA 14167-3
• Application Interface for Smart cards used as
  SSCDs,
• draft CWA
• Signature Policy for Extended Business Model
• draft ETSI TR 102 045
• Maintenance of ETSI Standards from EESSI phase 2
  and 3,
• draft ETSI TR 102 046
• International harmonization and globalization
  activities,
• draft ETSI TR 102 047
• Publication is foreseen in the second half of 2002

21
Phase 4 Activities

• New activities are planned in 2002-2003 on the
  following subjects
• Maintenance of the published specifications
• Harmonised provision of TSP status information
• Internationalisation of Certificate Policies
• Technical Standards for Signature Policies
• Policy Requirements for CSPs issuing Attribute
  Certificates
• Technical properties of Advanced Electronic
  Signatures
• Interoperability requirements of smart Cards
  used as SSCDs
• Conformity assessment of SSCDs supporting non
  Qualified
• Electronic Signatures
• Provision of Certificates status information to
  Relying Parties

22
European perspectives

• The evaluation of the EESSI specifications of
  the EESSI phase 2 deliverables, as answering the
  requirements set by the Directive has been
  performed by the Commission
• The recognition as Generally Recognized Standards
  under the Directive of the EESSI phase 2
  deliverables answering the requirements set in
  the annexes, is proposed in a draft Decision
  prepared by the Commission. The proposal was
  discussed in the meeting of the Directive Member
  States committee in July 2002, and generally
  supported
• The publication in the EU OJ of the references
  to the deliverables produced by EESSI, as
  providing a proper technical framework for the
  implementation of the Directive should follow.
  It will give a positive signal to the market
  players for the development of products and
  services complying with the EESSI specifications

23
International Perspectives

• Recognition of conformance to SSCD requirements
  CC MRA Arrangement on the Mutual Recognition of
  CC Certificates in the Field of IT Security
  Similar ambition with Trustworthy Systems
• Cross-recognition of certification policy
  Assessment of policy mapping between US Federal
  PKI and ETSI-EESSI requirements
• Harmonization of interoperability standards
  Use of existing standards (ISO, IETF), liaisons
  under development (W3C, WAP Forum, EDI/XML)
  and submissions to IETF

24
EESSI on the Web

• http//www.ictsb.org/EESSI_home.htm
• More useful references
• ETSI http//www.etsi.org/esi/el-sign.htm Sign
  up from Web-site to open El Sign mailing list
• CEN http//www.cenorm.be/isss/workshop/e-sign