Session 1. esignature and eseal validation landscape. Presented by Sylvie Lacroix esignature and eseal validation workshop, Jan

Transcription

1 Session 1 e and eseal validation landscape Presented by Sylvie Lacroix e and eseal validation workshop, Jan

2 Legal Framework: eidas Regulation and e Validation as a (qualified) Trust Service (link to second presentation) 2

3 Technical Framework: Technical Concepts and Related Standardisation Landscape 3

4 STF 524 What 6 Trust service status lists providers TSPs supporting digital signature 4 creation & other related devices Creation & Validation Introductory deliverables Trust application service providers Cryptographic suites The STF 524 is in charge of producing standards for AdES* digital signature validation services provided by Trust Service Providers, addressing conformity assessment, protocols and validation report. (*) as specified in ETSI ENs , and This is to support, a.o. the validation of advanced and qualified electronic seals / signatures as identified in the eidas Regulation (EU No. 910/2014) in a distributed and mobile environment, whilst also meeting the requirements for the general commercial use of such services within a global context. 4

5 Needs for standards from eidas Validation of A(d)ES Need for an algorithm (EN ) Need to report (TS session 4) Validation of QES Need for specifying rules for validating legal requirements (art. 32) (TS , TS ) Validation service (TSP supported) Need for protocol (TS session 4) Need for security policies (EN , TS , TS session 5) Qualified validation services Need for mapping legal requirements to technical specs. to support assessments (TS session 5) Need for reporting "correct result" and "security relevant issues" (TS session 4) 5

6 STF 524 Deliverables 1. Security and policy requirements for the operation of trust service providers offering AdES digital signature validation services. Building on the general policy requirements specified in EN and requirements for signature validation application specified in ETSI TS when relevant for TSPs. This is aimed at services supporting the validation of digital signatures in accordance with EN Session A standard for AdES digital signature validation report for reporting the validation of a CAdES, PAdES or XAdES digital signature. This specification is aligned with the requirements specified in EN part 1. Session A standard for protocols for TSPs providing AdES digital signature validation services and related architecture for the distributed environment. Session 5. Important to note: it is out of scope to determine whether trust services conforming to these deliverables may be considered as qualified trust services or not, but the aim is that it should not be precluded that such trust services may be qualified. TS has an annex to provide specific requirements for QTSP these requirements do not modify the security level of the policy. Another region may develop a similar annex. 6

7 The validation process AdES digital signature as specified in ETSI ENs , and Validation process (model from (rev.)): SD or hash of Local config. Format checker Signing cert ID. X.509 constraints Crypto constraints failed indeterminate X.509 cert. Val. (rev. fresh.) Crypto verif failed indeterminate validation status: Total-valid Total-failed Indeterminate validation report: (diverse info) Validation policy Other constraints Acceptance indeterminate passed 7 applicability status: OK KO Applicability rules.

8 The validation standard landscape SD or hash of Local config. Format checker Signing cert ID. X.509 constraints Crypto constraints failed indeterminate X.509 cert. Val. (rev. fresh.) Crypto verif failed indeterminate validation status: Total-valid Total-failed Indeterminate validation report: (diverse info) Validation policy Other constraints Acceptance indeterminate 8 passed applicability status: OK KO Applicability rules - Validation is a technical processing (performed by a SVA) -A constraint is a technical criteria against which a signature can be validated (defined & benchmarked for processing; if (input) then (result) else (result) ) (e.g. key length > 1024) - The set of (to be) processed constraints is the Validation Policy (e.g. AES_QC validation) - acceptance is a technical processing consisting in finalising validation of the constraints, after X.509 and crypto constraints validation - Applicability checking can be machine or human checked, on the basis of the validation result & report

9 The validation standard landscape Applicability rules express business needs for a certain context and may contain a validation policy (e.g. the signer is a notary) A SVAs may check none, all, or part of a particular applicability rules ETSI TS offers the possibility to specify applicability rules and signature validation policies. Any rule that is turned into a technical criteria to be processed becomes a validation constraint Addressing other rules is OUT of scope of the STF 524 work AdES creation and validation policies AdES creator may limit the signature scope or ask for a certain validation process. How a validation service may address such limitation of the signer is IN the scope of the STF 524 Whether a validation service must address such limitation of the signer or not is OUT of scope of the STF 524 work Whether the receiver accepts such limitation of the signer or not is OUT of scope of the STF 524 work AdES validator may limit the scope of a signature and the way to turn this into a machine processable way is IN the scope of the STF 524 work. Whether such limitation is legal or not is OUT of scope of the STF 524 work. 9

10 The validation standard landscape For the validation of AES_QC and QES a specific signature validation policy is proposed, i.e. set of constraints to be processed and their benchmarks for processing (as part of TS ) TS refers to a NWI for processing TSL s info When validation is done by a TSP there are additional concepts: Validation Service Practices statement Validation Service Policy (e.g. TS ) A TSP does not necessarily have applicability rules, but always run its SVA with signature validation policy(ies) A TSP does not necessarily write a service policy (it may refer to a standard policy) but always have a Practices statement 10

11 Some details on foreseen calendar Draft publicly available (since 30/11/2017) for getting comments from stakeholders until 30/01/2018 Any comment welcome on : E SIGNATURES_COMMENTS@LIST.ETSI.ORG Processing of comments, provision of resolutions for comments, implementation, and production of new draft for ESI approval Approval by ESI scheduled for April 2018 Publication of ETSI TS , & : 31/08/

12 Additional information on ETSI documents ETSI Documents: Free download search E news: signatures_news&a=1 Further information: Thank you! 12