Sándor Szőke, Dr. Microsec Ltd. Migration of national PKI Services to eidas conformant Trust Services case study in Hungary

Transcription

1 Sándor Szőke, Dr. Microsec Ltd. Migration of national PKI Services to eidas conformant Trust Services case study in Hungary

2 Introduction Private Hungarian IT company since 1984 Custom specific IT system development Company Registration System since 1990 using private PKI for document signing, client authentication and encryption using time stamps and e-delivery Qualified Trust Service Provider Certificate Authority since 2002 (qualified since 2005) Qualified Time Stamps since 2005 Qualified Archiving since 2007 (1 st in the EU) Member of ETSI since 2007 Supplied security technology for several e-government projects in Hungary e-passport issuing system e-id card issuing system Government CA (NISZ) Supplier of PKI solutions Own development for CA, RA, Time Stamping, Archiving/Preservation, e- delivery PassBY[ME] family on mobile platforms for strong ID validation, mobile based electronic signatures, remote electronic signatures MicroSigner for WEB based electronic signature with client QSCD without JAVA applet

3 Transition of qualified trust services QUALIFIED TRUST SERVICE Directive 1999 EAT 2001 EIDAS 2014 EÜT 2015 MICROSEC DEADLINE for audit DEADLINE for registration DEADLINE for old service Certificate for electronic signature (for natural persons) months --- Certificate for electronic signature (for legal persons) Certificate for electronic seal (for legal persons) x x x x x ( ) ( ) --- Electronic time stamping x ( ) ( ) Archiving (long-term preservation of digital signatures) x ( ) ( ) No accreditation body no auditor in Hungary Order the audit from abroad TÜViT (Germany) Very short deadline, special Hungarian requirements, eidas and ETSI audit 3 months audit with 5 days local audit successfully finished by the end of October Supervisory audit finished in December 4 qualified trust services registered on

4 Which standards were used QUALIFIED TRUST SERVICE / NORMATIVE TÜViT conformity assessment according to ETSI TS V2.2.2 ( ) Audited against EN V1.1.2 ( ) ETSI EN V2.1.1 ( ) ETSI EN V1.1.1 ( ) ETSI EN V2.1.1 ( ) ETSI EN V1.1.1 ( ) ETSI EN V2.1.1 ( ) ETSI EN V1.1.1 ( ) ETSI EN V2.1.1 ( ) ETSI EN V1.1.1 ( ) ETSI EN V1.1.1 ( ) ETSI TS V2.1.1 ( ) ETSI TS V1.1.1 ( ) Trust Service Provider Conformity Assessment - Requirements for conformity assessment bodies assessing Trust Service Providers Certificate for electronic signature Certificate for electronic seal Electronic time stamping Archiving (preservation) Regulation (EU) No. 910/2014 (eidas) Accessibility requirements suitable for public procurement of ICT products and services in Europe General Policy Requirements for Trust Service Providers Policy and security requirements for Trust Service Providers issuing certificates; Part 1: General requirements Requirements for trust service providers issuing EU qualified certificates Certificate Profiles; Part 1: Overview and common data structures Certificate Profiles; Part 2: Certificate profile for certificates issued to natural persons Certificate Profiles; Part 3: Certificate profile for certificates issued to legal persons Certificate Profiles; Part 5: QCStatements. Policy and Security Requirements for Trust Service Providers issuing Time-Stamps x x x x x x x x x x x x x x x x Timestamping protocol and time-stamp token profiles x x x Policy requirements for trust service providers signing and/or storing data objects x x x Cryptographic Suites

5 Benefits of using standards Benefits of using standards European Single Market Interoperability Lower cost higher efficiency Advantageous mainly for smaller countries/companies needs legal background Positive examples Standardized audit requirements ETSI TS Microsec (HU) TÜViT (GE) NMHH (HU) Hungarian TL Certification services ETSI EN ,2 for CA services policy and security requirements CHECKLISTS (EXCEL TABLES) FOR SELF evaluation ETSI EN ,2,3,5 Certificate profiles Time stamping ETSI EN Policy requirements CHECKLISTS (EXCEL TABLES) FOR SELF evaluation ESTI EN Timestamping protocol and time-stamp token profiles

6 Smaller issues with standards Certificate formats during the transition period National legislation Which certificate format shall be used during the transition period? We use the eidas conformant format since eidas conformity is a common minimum Additional requirement above eidas Intermediate certificates Specification of root and intermediate certificates should be more specific Issuing TSA certificate Handling new attributes QSCD for seal Which CA may issue TSA certificate (root or intermediate) Harmonization with CABF requirements Some application doesn t handle some of the new attributes and extensions (Organization Identifier, Qualified Certificate Statements) There is no qualified seal creation device is SSCD acceptable? Based on discussion with experts we use SSCD device also for seal

7 Standardization gaps Missing standards e-delivery ETSI is already working on it Preservation preliminary study finished Qualified signature on mobile devices (private keys on the mobile device) PKI based client authentication out of the eidas scope (?) Closer cooperation with CABF Certificate Authorities need to fulfil several requirements Withdrawal of the ETSI TS policy specifications? ETSI TS v2.4.1 ( ) > ETSI EN ETSI TS v1.4.3 ( ) > ETSI EN Cryptographic algorithms Key importance for interoperability Regular change in algorithms and parameters Decision on national level - may result incompatibility Common EU regulation would be needed even on voluntary bases

8 THANK YOU! Sándor SZŐKE, Dr. Microsec Ltd. H-1031 Budapest, Záhony u. 7. D Hungary