eias Study on an electronic identification, authentication and signature policy SUPERVISION Presentation on status

Transcription

1 eias Study on an electronic identification, authentication and signature policy SUPERVISION Presentation on status in the context of COM(2012) 238 Proposal for a Regulation on electronic identification and trust services

2

3 of QTS(P) s Supervisory Bodies to supervise Qualified Trust Service Providers (QTSP s) and Qualified Trust Services (QTS s) they provide Art.13 to 19 of COM(2012) 238. Looking for a consistent model that Enhance trust in QTSP s & QTS s, Harmonise supervision rules throughout EU, Allows leveraging for future international recognition. Find right balance between provisions in: Regulation: main principles & requirements, Secondary legislation, Standards.

4 Leveraging on existing building blocks Supervisory Bodies in place since DIR 1999/93/EC of CSP issuing QCs is mandatory / audits of QTSP s / QTS s Current disparities in MS practices but... Mutual recognition and equivalence of s & Reports by Bodies (CAB) can leverage on REG 765/2008 that provides Equivalence of National (NAB) conformant services, Equivalence of NAB s accreditation certificates, Equivalence of attestations issued by CAB s accredited by such NAB s to form the basis of QTSPs and QTS supervision in EU Leveraging on such (adopted) practices for future international recognition / equivalence (e.g. EA IAF, ISO/ITU, multilateral, etc.) M/460 mandate aiming for standards needed for the Regulation

5 6. Evaluation of Audit report 1. Complaints or observation of non-conformity or regular or random control once accredited QPKI Policy Management Authority acting as CSP Supervisory & 5. Audit report 7. Audit report conclusions and accreditation status notified 2. Designation & Mission allocation (or acceptance/refusal) Accredited (CAB) 4. Audit ( ) (incl. Auditors) 3. Designation acceptance/ refusal CSP and related certification service 1. Request for accreditation + related application information Proposed model for EU Scheme EU Scheme for QTS(P)s List of Trusted Lists (LoTL) European cooperation for (EA) International Forum (IAF) - Guidance () Trusted List - Process Flow status - Criteria Member State Supervisory National report Accredited (CAB) Assessors & Compliance verification (e.g. inspection, assessment, binding instruction from SB) Notification for against Qualified trust service provider & qualified trust services

6 Proposed model for EU Scheme List of Trusted Lists (LoTL) Trusted List status Member State Supervisory report Notification for Accredited (CAB) Assessors Qualified trust service provider & qualified trust services European cooperation for (EA) National against International Forum (IAF) conformity assessment shall mean the process demonstrating whether specified requirements relating to a product, process, service, system, person or body have been fulfilled COM(2012)238 recognised independent bodies as CAB s accredited by NAB as per REG 765/2008 All MS have a single NAB appointed under 765/2008. NAB evaluates whether CAB is competent to carry out specific conformity assessment activities (CAA) and issues accreditation certificate NAB manages the accreditation certificate life cycle: i.e. monitors accredited CABs, restrict / suspend / withdraw accreditation certificates NAB permitted to operate across national borders MS monitors NAB to meet 765/2008 (Art.8) requirements Peer evaluation organised by EA to verify continuing compliance with 765/2008 and ISO/IEC Information obligation (CAA, NAB s, peer evaluations) NAB demonstrating conformity with harmonised standards (OJEU) by successful peer evaluation (Art.10) are presumed to fulfil 765/2008 Art.8. Equivalence of attestations issued by CAB s accredited by such NAB s

7 study Bus. Guid. for TASPs Business Guidance for TSPs supporting esig Gen. Policy Req. for TSPs supporting esig ISO 27001/27002 specific requirements IT European cooperation for (EA) ent ort ovider ces Forum (IAF) Proposed model for EU Scheme National ormity sment against International verification assessment, REG 765/2008 Notification for n from SB) valuators Assessors valuators Member State Supervisory Accredited (CAB) Assessors assessments - with ability to conduct specific ISO based assessments (ISMS): with regards to a sector/ regional specific framework: EN 319 4x3 / EN 319 5x3 National Accredited Accredited report Assessors accredits (CAB) report (CAB) Assessors assesses ision against Notification ISO for against against (Internal & ent, Qualified trust service provider & qualified External trust Services) services SB) Qualified trust service - with provider ability Qualified to conduct trust service provider TS 119 4x3 specific ISO based & qualified trust services & qualified trust services Feasibility confirmed from EA-EC-ETSI meeting; common efforts to pave the way towards implementation e.g. using... against TS 119 5x3 aligns with QTSP issuing QC s for esignatures for eseals for websites QTSP issuing QTStoken QValidationSP for QeSignatures for QeSeals Preservation of QeSignatures of QeSeals QTSP providing QeD service aligns with QTS(P)s (as a possible method to prove compliance with applicable legal provisions) Pol. & Sec. req. for TSP QC s P&S req P&S req Pol.& Sec. req. for DPSPs Pol.& Sec. req. for REM srvcs ISO incl. specific - scoped ISO 27001/2 requirements + controls - scoped ISO based controls Certificate Profiles TST Profiles Profiles for TSP SVSs Tech specs for DPSs Tech specs for REM ser.

8 study Bus. Guid. for TASPs Business Guidance for TSPs supporting esig Gen. Policy Req. for TSPs supporting esig ISO 27001/27002 aligned specific requirements Proposed model for EU Scheme t Organised per type of QTS(P)s and related standards that specifically include QTSP(s) dedicated/scoped ISO 27001/2 & ISO Management Systems requirements Incl. a full check-list of controls per type of QTS ( ) TECHNICAL STANDARDS Secondary Legislation REG. QTSP issuing QC s for esignatures for eseals for websites Pol. & Sec. req. for TSP QC s Certificate Profiles incl. QC QTSP issuing QTStoken P&S req TST Profiles QValidationSP for QeSignatures for QeSeals P&S req Profiles for TSP SVSs Preservation of QeSignatures of QeSeals Pol.& Sec. req. for DPSPs Tech specs for DPSs QTSP providing QeD service Pol.& Sec. req. for REM srvcs Tech specs for REM ser.

9 Preparation includes (TSP intends to provide Qualified Trust Service as Qualified TSP) Initial Compliance Verification (Supervisory to decide on qualified status) Termination notification in cessation cessation review Compliance verification based on update of notification information including report of periodic or event driven OK by CAB accredited by NAB Notification (TSP notifies competent, incl. conformity assessment report) compliance pending ceased by accredited CAB compliance not OK compliance OK Undersupervision pending revoked compliance not OK Other (notified) events or at the discretion of the Supervisory review Compliance verification based on update of notification information including report of periodic or event driven pending Life-cycle management of supervision status (at trust service level) Yearly anniversary from initial status by accredited CAB compliance not OK OK Business Guidance for TSPs supporting esig Bus. Guid. for TASPs Gen. Policy Req. for TSPs supporting esig study ISO 27001/27002 specific requirements List of Trusted Lists (LoTL) Trusted List status Member State Supervisory report Notification for Mutual recognition with third countries & Int al Org Accredited (CAB) Assessors Qualified trust service provider & qualified trust services European cooperation for (EA) National against International Forum (IAF) ISO (Internal & External Services) - with ability to conduct specific ISO based assessments - with ability to conduct specific ISO based assessments (ISMS): with regards to a sector/ regional specific framework: EN 119 4x3 / 5x3 By design, the EU Scheme should be conceived to facilitate its recognition, e.g. Trusted Lists as visible part of the iceberg Adoption at EA / REG 765/2008 level: equivalence of assessments by CABs being accredited by NABs Extend the EA adopted model at the level of IAF (e.g. Multilateral Recognition Arrangement - MLA) Extension through Bilateral-Multilateral negotiation (e.g. REG. Art. 10, IAF bilateral negotiation) ISO/IEC JTC 1 SC27 Study Group on PKI Policy/Practices/Audit International framework for mutual-recognition arrangement (e.g. IAF, ISO, output from ISO/IEC JTC 1 SC27 PKI Policy/Practices/Audit study) TS 119 4x3 TS 119 5x3 aligns with ISO incl. specific QTSP issuing QC s for esignatures for eseals for websites QTSP issuing QTStoken QValidationSP for QeSignatures for QeSeals Preservation of QeSignatures of QeSeals QTSP providing QeD service aligns with Pol.& Sec. req. for REM srvcs Pol. & Sec. req. for TSP QCs P&S req P&S req Pol.& Sec. req. for DPSPs Certificate Profiles TST Profiles Profiles for TSP SVSs Tech specs for DPSs Tech specs for REM ser. - scoped ISO 27001/2 requirements - scoped ISO based controls... is one possible method to meet such arrangement other equivalent methods to meet arrang.

10 Proposed model for EU Scheme Regulation: main principles & requirements e.g. conformity assessment made by CAB accredited by NAB in context of REG 765/2008 e.g. prior authorisation Secondary legislation (D.A./I.A.): More detailed requirements on practical implementation of REG s main principles and requirements, e.g.: (activities/tasks) Procedures and Process Flow: incl. qualified status flow in Trusted Lists; incl. continuity of terminated QTS(P)s Entire lifecycle (not only initiation) Mapping to (harmonised) EN &/or standards as a possible method to prove compliance to Regulation relevant articles: Guidance + Criteria : mapping legal provisions to EU standards per type of qualified trust service (incl. security requirements measures applicable to TSP s, Trust Worthy Services & products); Trusted List specifications updated from CD 2009/767/EC (content, specs, format). Cross-border assessment and mutual assistance between SB s Standards M/460 phase 2 (+ phase 3) Harmonisation of the norms?

11 Process Flow Preparation includes (TSP intends to provide Qualified Trust Service as Qualified TSP) by CAB accredited by NAB Notification (TSP notifies competent, incl. conformity assessment report) Initial Compliance Verification (Supervisory to decide on qualified status) compliance pending compliance OK Undersupervision compliance not OK Life-cycle management of supervision status (at trust service level) One-year supervision cycle based on: Full every year (incl. at notif ) or at request of the EC. Full or Surveillance at any time, at own initiative of Supervisory, or from notified event. Statement of is materialised by publication of the supervision status in the competent MS Trusted List and is valid until the TL next update. Legend: Undersupervision status in TL Transition between states/statuses Verification of Compliance & of Report status is kept until next status assignment Termination notification in cessation cessation review Compliance verification based on update of notification information including report of periodic or event driven by accredited CAB OK ceased compliance not OK pending revoked Other (notified) events or at the discretion of the Supervisory review Yearly anniversary from initial status Compliance verification based on update of notification information including report of periodic or event driven by accredited CAB pending compliance not OK OK

12 status flow (to be reflected in Trusted Lists) Start Trusted List of supervised Trust Services Under Trusted List of supervised Trust Services InCessation Trusted List of supervised Trust Services Ceased Trusted List of supervised Trust Services Revoked

13 Secondary legislation wrt (expl. QTSP QC ) Listed in REG proposal DA 13.5 on procedures applicable to the activities (Art.13& tasks Art.13bis?) of SB: Monitoring of TSPs of QTS(P)s Continuity of terminated QTS(P)s (Art.19(2)g) DA 15.2 on security req. & measures for TSPs DA 18.5 on TL information about QTS(P)s (CD 2009/767 core in REG?) DA/IA 16.5 on CAB accreditation (better in REG?) IA 18.6 on TL tech. specs & format IA 13.6 on SB s yearly activities report (Art. 13.3) (circumstances, format, procedures) IA 14.4 on SB s mutual assistance (Art.14) IA 15bis.2 on security breach notification (Art.15bis) IA 17.5 on supervision initiation of QTS(P)s - circumstances, format, proc; incl. Inclusion in TL) IA 19.5 referencing stds on TWS & products (Art. 19) DA 21.4, 29.4, 37.3 on Annex I, III & IV (QC) if needed IA 21.5, 29.5, 37.4 on Annex I, III & IV (QC) Act: 1 Procedures & process flow regarding supervision of QTS(P)s, incl.(inc. or by ref.): Model ( ): based on R.765/2008 accreditation scheme (see model described on right) by ref. Entire process lifecycle (not only initiation) Breach notification (ref. to specific Act?) Trusted Lists: - Information to be found in TL about QTS(P)s - Q status flow in TL - TL specs & format (TS ) Continuity of terminated QTS(P)s (Art.19(2)g) Mutual Assistance between SB s (format, procedures, circumstances?) Yearly activities report from SB to EC (circumstances, format, proc.) Regulation 765/2008: EA adopted & OJEU published accreditation scheme - NAB accrediting CAB against - to perform QTS(P)s assessment against QTSP QC s for esignatures for eseals for websites ISO (Internal & External Services) - with ability to conduct specific ISO based assessments - with ability to conduct specific ISO based assessments (ISMS): with regards to a sector/ regional specific framework: EN 319 4x3 / EN 319 5x3 TR EN Bus. Guid. for TSPs esig Gen. Pol. Req. for TSPs esig EN Pol. & Sec. req. for TSP QC s EN Certificate Profiles incl. QC Updated with regards to REG, e.g. - Policy requirements to be aligned with REG req. (e.g. CVSI services, Termination Plan, security measures, security breach notification, etc.) - Certificate profiles to be aligned with REG req. (Art. 21) - Certificate Validity Status Information (CVSI) profiles (e.g. CRL profile, OCSP profile)

14 6. Evaluation of Audit report 1. Complaints or observation of non-conformity or regular or random control once accredited QPKI Policy Management Authority acting as CSP Supervisory & 2. Designation & Mission allocation (or acceptance/refusal) 5. Audit report 4. Audit ( ) 7. Audit report conclusions and accreditation status notified Accredited (CAB) (incl. Auditors) 3. Designation acceptance/ refusal CSP and related certification service 1. Request for accreditation + related application information Conclusions EU Scheme common to all MS Increase trust & confidence level of QTS(P)s in EU, transparency, equality, better preparation of QTSPs, harmonised and stronger rules Trust recognition in EU and beyond as benchmarking reference for mutual recognition with 3rd countries and international organisations (Delegated and) Implementing Acts mechanism allow implementation of such a common EU Scheme and are key elements between primary legislation and best practices / possible technical standards EU Scheme for QTS(P)s - Guidance () - Process Flow - Criteria conclusions List of Trusted Lists (LoTL) Trusted List status Member State Supervisory report Notification for Accredited (CAB) Qualified trust service provider & qualified trust services European cooperation for (EA) Assessors National against International Forum (IAF) IAS 2 team to assist the EC in drafting the secondary legislation with regards to the EU scheme