AUDIT GUIDELINES FOR A GOV TSP TSP OF THE BASQUE ADMINISTRATION

Transcription

1 AUDIT GUIDELINES FOR A GOV TSP TSP OF THE BASQUE ADMINISTRATION

2 IZENPE: A GOV TSP Created in Owners: Basque Government and Regional Governments of the Basque Country ISO 27001, ETSI TS and Webtrust for EV Certified Goal: To promote the electronic signature within the public administration and the citizenship Numbers: Time stamps: 2 millions/month Validations: 1,8 millions/month Qualified certs issued: aprox (citizens and entities in SSCD) Non qualified certs issued: aprox (including 100 EVs)

3 ALL THAT IS LIKE FILM INDUSTRY = CRITICS -Auditors/ EA/IAF- = STUDIOS -GOVERMENT- MOVIE DIRECTOR -TSP/CSP- = = ACADEMY AWARDS -Standards- PRODUCER -Site owner- = = ACTORS -CA-RA-VA-TSA- CINEMAS -Browser- = = ESPECTATORS -Users-

4 OUR VISION? = MOVIE DIRECTOR -TSP/CSP-

5 DOES THE CSP/TSP (DIRECTOR)) NEED «BETTER» AUDIT GUIDELINES? Only the CSP/TSPs (Directors)? What about auditors (Critics)? And national accreditation bodies? And national notification bodies? And browsers (cinemas)? Relying parties?

6 W WHO WATCHES THE «WATCHMEN»?? Users browsers Browsers CPS/TSP CSP/TSP standards Standards ETSI/ISO/etc. Auditors CSP/TSP EA/IAF auditors ETSI/ISO/etc. the IT industry W3C/IETF/etc. / Browsers National bodies EA/IAF

7 CERTIFICATES VS CERTIFICATIONS Do the CPS/TSP (director) have to be certified to issue certs (make films)? Which are the benefits/disadvantages? Are there levels of certifications depending on the certificates issued? Certificates Qualified Non Qualified Certifications Permission to issue Qualified Permission to issue non qualified How the users must know this situation? How to inform them? Are we trying to deal with different categories of CSP/TSPs (directors)?

8 ADVANTAGES/DISADVANTAGES/ OF ISSUING CERTIFICATES. FOR WHOM? Being certified (with bad name) End user trust Covered by insurance Condifence and security Not being certified (with good reputation) Secured? Assured? Trust?

9 W WHY IS SO IMPORTANT TO BE CERTIFIED?? Provides confidence to the end users, relying li parties, stackholders and owners. How? Is it really important? What would happen to those not certified? Can we deal with that?

10 W WHAT TO GET WITH THE CERTIFICATION?? Image and marketing Organizational procedures Legal accomplishment Security Is this effort enough?

11 WHEN SOMETHING GOES WRONG What happened? Security failed? Browsers/ASVs choose TSPs based on their certification audits and in their own procedures and policies REMOVE from the CA root program TSL notification/supervision isionbody REMOVE from the TSL list

12 WHEN SOMETHING GOES WRONG,, WHAT TO DO? DIGINOTAR Who s the responsible? The CSP/TSP? Should we find them guilty? Not judging? It does not matter the issue, what it s important is the solution. NOTE: Up to now Diginotar is the only one closed and on bankruptcy

13 SOLUTIONS Better audit guidelines for all the members of the movie: CSP/TSP, auditors, third parties, etc. understanding of the risks procedures for the issuing and revocation improvement of (PKI) software task management Collaboration IT industry, legal requirements, auditing, etc nationally and internationally

14 COLLABORATION CAsandBrowsers (CABForum) developing new requirements for issuing SSL certs ETSI ESI developing a complete framework of electronic signatures But Where are the notification/supervision bodies? Where are the national accreditation bodies and the accredited auditors? Should this be mandatary within the EU/Worldwide?

15 ALTERNATIVES ARE THERE ALTERNATIVES? CAB Forum has developed a minimun criteria for issuing baseline SSL and EV certificates with some differences of what it had up to now ETSI has developed and adopted these guidelines The industry is trying to find other solutions to improve security and usability (a big battle) with solutions like CAA, CT, DNSSEC, etc. Isolating?

16 SAME WAY OR FREE MADE AFTER Audit standards updated with new CABF guidelines and become Ens Mandate 460 Guidance for issuing EVs for CSP and auditors Conformity assesment for TSP issuing EVs Recommendations on Governance and audit regime for Evs and Baseline OR BEFORE Audit standards: TS and

17 EXAMPLE: SITE EV Perfect example of «service» to the entities (private and public)/users with the need of the standarization for «maximum» quality.

18 CONCLUSIONS Auditing the PKI is a very good practice but it s not THE solution, more actions are needed, i.e. law enforcement A certified Government TSP gives the citizenship more confidence and security, it s a trustable party Earning money, making profit is not the target but providingsecure and reliableservices Collaboration is needed It s necessary to win the Oscar to the best movie, director, actors, etc. it salsoimportanttohavea very good critics, and of course have a good service in a good cinema. The user has to know that paying the ticket is worthy, secure and trustable. t

19 I IS THERE SOMETHING ELSE TO CHANGE?? Are we (CSP/TSP) OK with ihthis«etsi» diagram? Are there differences between comercial and government CSP/TSPs? Is this enough?

20 Iñigo Barreira IZENPE ib i barreira@izenpe.net t