Countdown to eidas. Date: 19/04/2016 Auteur: CTIE Révision: 1.0 Ref: EIDAS_CTIE_4 Page 1

Transcription

1 Countdown to eidas Date: 19/04/2016 Auteur: CTIE Révision: 1.0 Ref: EIDAS_CTIE_4 Page 1

2 About CTIE (Centre des Technologies de l'information de l'etat) Provides centralised IT services for all public administrations Total annual budget > 100 Meuros Full-time staff > 300 agents Speaker Head of Internal audit Luxembourg eidas EU Commission eid, e-signatures, e-participation, Page 2

3 Agenda 1. Motivations 2. Overview 3. eid 4. Trust services 5. Conclusions Page 3

4 Agenda 1. Motivations 2. Overview 3. eid 4. Trust services 5. Conclusions Page 4

5 EU digital market 315 million Europeans use the Internet every day 21,6 million of SMEs in the EU, of which more than 40% have cross-border activities Potential contribution to European GDP of a fully functioning DSM has been estimated at EUR 415 billion/year Over 14 million EU citizens are resident in another Member State Between 2001 and 2011, digitalisation accounted for 30% of GDP growth in the EU e-commerce is growing rapidly in the EU at an average annual growth rate of 22%, surpassing EUR 200 billion in 2014 In % of retail travel and tourism sales were made online for a volume close to EUR 70 billion Page 5 Source: European Commission

6 EU Digital market Page 6 Source: European Commission

7 Before eidas Electronic signatures (esignature Directive (1999), Services Directive (2006)) However: Different interpretations of SSCDs Appropriate supervision of TSPs No distinction between natural and legal persons Outdated technical standards Authentication? Technical PoCs (STORK, ) and many national solutions Other Trust Services? No common legal basis Page 7

8 eidas principles Goal: strengthen EU Single Market by boosting trust and convenience in secure and seamless cross-border electronic transactions. Too small Extended scope to cover eid and all relevant trust services Too Weak Regulation directly enforceable in all MS (+ optional IAs) Some "gray areas" have been clarified (Supervision, QES, QSCD, ) Too old New use-cases and technologies have been taken into account Technology-neutral and outcome-based approach Page 8

9 Agenda 1. Motivations 2. Overview 3. eid 4. Trust services 5. Conclusions Page 9

10 eidas scope eidas Regulation eid Trust services Mutual recognition Levels of Assurance esignatures eseals Time stamp Website authentication Electronic registered delivery esig/eseals validation and preservation Notification process Interoperability framework Trusted lists QSCD Trust mark Liability TSP supervision Breach notification Page 10 + electronic documents

11 Page 11 eidas usage scenario

12 eidas impact Some past (or ongoing) large-scale EU pilot projects which have lead to eidas: Education: STORK, STORK2 Banking and financial services: STORK2 Public Services for Businesses: SPOCS, STORK2 Health: epsos, e-sens Procurement: PEPPOL, e-sens Justice: e-codex, e-sens Agriculture: e-sens Page 12

13 Legal framework Legal act Réf. In force eidas regulation (EU) 910/ /09/2014 IA on cooperation (EU) 2015/296 17/03/2015 IA on interoperability framework (EU) 2015/ /09/2015 eid IA on levels of assurance (EU) 2015/ /09/2015 IA on EU trust mark (EU) 2015/806 12/06/2015 IA on trusted lists (EU) 2015/ /09/2015 IA on esignatures / eseals formats (EU) 2015/ /09/2015 Trust services IA on notification (EU) 2015/ /11/2015 IA on standards for QSCDs? 04/2016? More optional implementing acts are foreseen by eidas Page 13

14 Planning 17/09/2014 entry in force of eidas regulation eid 29/09/ /09/2018 Voluntary recognition Mandatory recognition 01/07/2016 Trust services esignature Directive regime Transition period (QES TSPs) eidas regime Page 14

15 Planning What will happen with electronic signatures? Currently: esignatures Directive is still in effect National esignature/trust service laws are in effect On July 1 st 2016: esignature Directive is invalidated all conflicting national rules are repealed and replaced references to the Directive references to eidas all existing e-signatures keep their value Transitional measures: SSCD and QCs keep their status QTSPs must submit an assessment by 1 July 2017 Page 15

16 Agenda Motivations Overview eid Trust services Conclusions Page 16

17 eid eidas key Principles for eid: The goal is mutual recognition, not harmonisation. Voluntary notification of electronic identification schemes by Member States. Mandatory cross-border recognition only to access public services. Private sector has full autonomy. Notified schemes must allow access to at least one public service, free of charge. Page 17

18 The interoperability challenge 28+3 Countries 500+ million people Dozens of eids (used in several countries) Thousands of online public & private services Page 18

19 The interoperability challenge eidas nodes Connector Service MS specific eidas interoperability framework MS specific Page 19

20 eid interoperability framework Implementing regulation (EU) 2015/1501: Minimum data sets ISO certification of eidas nodes Liabilities in MW scenario -> SLA in preparation eidas Technical Specifications (v 1.0): Based on STORK1, but not compatible Covers architecture, SAML message format and attribute profiles, cryptographic requirements CEF eid example implementation (v 1.0): Open source code by DIGIT available on Joinup Page 20

21 eid Levels of Assurance (LoA) Enrolment eid means management Authenti cation Management and organisation Application and registration Identity proofing and verification (natural person) Electronic identification means characteristics and design Issuance, delivery and activation Authentication mechanism General provisions Published notices and user information Identity proofing and verification (legal person) Binding between the eid means of natural and legal persons Suspension, revocation and reactivation Renewal and replacement Information security management Record keeping Implementing regulation (EU) 2015/1502: 3 levels : low, substantial, high The scheme's LoA level is the lowest of 16 sub-loa levels in 4 categories Facilities and staff Compliance and audits Technical controls Page 21

22 eid example workflow (proxy-proxy scenario) Online service Please go here eidas Connector Sure, how do you want to authenticate? 1 I want to use your service eidas! Page 22

23 eid example workflow (proxy-proxy scenario) Online service Where did you get your eid? eidas Connector Please go here eidas Proxy Service 2 Luxembourg Page 23

24 eid example workflow (proxy-proxy scenario) Online service eidas Connector eidas Proxy Service Identity / Attribute provider RNRPP 3 i. Select eid ii. Authenticate PIN:****** iii. Consent Page 24

25 eid example workflow (proxy-proxy scenario) Online service data eidas Connector data eidas Proxy Service data Identity / Attribute provider RNRPP Access granted Page 25

26 Agenda Motivations for eidas Overview eid Trust services Conclusions Page 26

27 Trust Services eidas key Principles for Trust Services: Non-discrimination in Courts of electronic trust services vis-à-vis their paper equivalent Specific legal effects associated to qualified trust services Non-mandatory technical standards ensuring presumption of compliance Technological neutrality Harmonization of national supervision and strengthening of data protection Page 27

28 Trust services Qualified trust services covered by eidas: electronic signatures (Art.28) electronic seals (Art.38) website authentication (Art.45) preservation service for QESig/ QESeal (Art.34 / Art.40) electronic time stamps (Art.42) electronic registered delivery service (Art.44) But: Recital (25): Member States should remain free to define other types of trust services in addition to those making part of the closed list of trust services provided for in this Regulation, for the purpose of recognition at national level as qualified trust services. Page 28

29 Trusted lists Official journal of the EU Trusted Lists have a constitutive effect for qualified trust services List of the lists (LotL) National trusted lists Page 29

30 Trust mark Implementing Regulation (EU) 2015/806: After a TSP has been added to the Trusted List, it may use the EU trust mark to indicate its status of qualified TSP. A TSP using the trust mark must: include a link to the relevant trusted list clearly indicate which qualified services the trust mark refers to Page 30

31 esignature / eseal esignature: Creator: natural person (pseudonym allowed) Legal value: all: non-deniable legal effect in court qualified: equivalent to handwritten signature in all EU eseal: Creator: legal person Legal value: all: non-deniable legal effect in court qualified: presumption of integrity of the data and of correctness of the origin of that data to which the seal is linked. Recital 65: electronic seals can be used to authenticate any digital asset of the legal person, such as software code or servers. Page 31

32 esignature / eseal Implementing decision (EU) 2015/1506: Member States requiring AdES or AdES(QC) must recognise: Format Conformance level ETSI standard XAdES baseline profile B, T, LT TS v CAdES baseline profile B, T, LT TS v PAdES baseline profile B, T, LT TS v ASiC baseline profile all TS v Other formats must also be accepted if a validation service is provided by the MS implementing this format. Page 32

33 esignature / eseal preservation Definitions (Art. 34 (1) and 40): A qualified preservation service for qualified electronic signatures (resp. qualified seal) may only be provided by a qualified trust service provider that uses procedures and technologies capable of extending the trustworthiness of the qualified electronic signature (resp. qualified seal) beyond the technological validity period. Recital (61) clarifies the idea:... ensure the legal validity of electronic signatures and electronic seals over extended periods of time and guarantee that they can be validated irrespective of future technological changes. Technical standards: Long-term archival forms of PAdES/CAdES/XAdES/ASiC formats exist, but they are excluded from the scope of (EU) 2015/1506 Decision. Other formats are being investigated, such as ERS (Evidence Record Syntax, see RFC 6283). Page 33

34 Timestamps Definition (Art. 3 (33)): data in electronic form which binds other data in electronic form to a particular time establishing evidence that the latter data existed at that time. Legal effects: TST: non-deniable legal value in court QTST: presumption of time accuracy and integrity of data Requirements for QTST: 1. detectability of changes in time stamped data 2. based on an accurate time source linked to Coordinated Universal Time 3. signed or sealed by QTSP s AdESig or AdESeal, or by equivalent method Optional implementing act Page 34

35 Website authentication Goal: " a visitor to a website can be assured that there is a genuine and legitimate entity standing behind the website." Optional implementing act is undecided, but EN v defines a QCP-w policy for website authentication based on a qualified certificate: QCP-w = EV + QTSP (legal persons) = better protection for the users CA/Browser Forum : "Guidelines for The Issuance and Management of Extended Validation Certificates". eidas regulation: Supervision by a national SB Regular audits by an accredited CAB Breach notification duties Under the EU data protection regulatory framework Liability w/ reverse burden of proof Page 35

36 Website authentication The SSL ecosystem is changing: Browser vendors have taken over Internet PKI governance New technical solutions are being pushed: CT, HPKP, HSTS, CAA, etc. Free DV SSL offers Browser vendors are considering dropping support for EV SSL but still no coordination amongst browser vendors about Trust and UI Qualified Website Authentication Certificates (QWACs) need: Support from browsers: - Usage of Trusted Lists for QWAC validation - QWAC support in their SSL indicators Support from CAs: - Offer QWACs as new business solution Discussions are ongoing between Member States, EU Commission, browsers, CAs, ETSI, CA/B Forum, etc. Page 36

37 Electronic registered delivery services Definition (Art. 3 (36)): service that makes it possible to transmit data between third parties by electronic means and provides evidence relating to the handling of the transmitted data, including proof of sending and receiving the data, and that protects transmitted data against the risk of loss, theft, damage or any unauthorised alterations. Legal effects: erds: non-deniable legal value in court QeRDS: data sent and received shall enjoy the presumption of the integrity of the data, the sending of that data by the identified sender, its receipt by the identified addressee and the accuracy of the date and time of sending and receipt indicated by the qualified electronic registered delivery service Page 37

38 Hybrid mail is an example of erds trust service: Electronic registered delivery services Idea: send a physical letter to an addressee in another country directly from your PC. Process: digital information sent to the postal operator of the destination country, which prints, envelops and delivers the paper version to the addressee. Pilot project from FR-DE-AT-IT-EE post operators. Page 38

39 TSP supervision Supervisory body: (Art. 17) Are designated by each Member State to supervise : - non qualified TSPs: ex-post - qualified TSPs: ex-ante and ex-post Can initiate audits (internals or from a CAB) of QTSPs (ad-hoc and at least every 24 months) at their own cost. Must cooperate with national data protection authorities and other supervisory bodies. Must report yearly to COM/ENISA about its activities and breach incidents (ENISA reporting tool in development). Page 39

40 TSP supervision Trust Service Providers: (Art. 19) Must notify their SB (and potentially others) of security breaches within 24h. Must submit audit reports from CABs to their SB within 3 days (QTSPs). Must remedy to any failure pointed out by the SB within the time limit set by the SB (QTSPs). Conformity Assessment bodies: 09/2015: Publication of EN Requirements for conformity assessment bodies assessing Trust Service Providers Page 40

41 Agenda Motivations for eidas Overview eid Trust services Conclusions Page 41

42 Conclusions 1. The eidas regulation regulates electronic identification and several trust services (esignatures, eseals, etimestamps, QWACs, erds) is directly enforceable in all MS and will repeal all conflicting national rules enables cross-border interoperability of electronic identification means enables cross-border legal value of qualified trust services eidas can be a game changer for online security in the EU Page 42

43 Conclusions 2. eidas offers many opportunities to the private sector: New (and old) trust service providers Conformity Assessment Bodies Consumers of trust services with cross-borders legal value New solutions using the eidas TS building blocks Online service providers can become accessible from all EU eid solution providers can access many EU online services eidas is not just about public sector and trust service providers Page 43

44 Thank you DG CONNECT: www: FAQs: CEF: www: Contact me: Page 44