Electronic Commerce Working Group report

Transcription

1 RESTRICTED CEFACT/ECAWG/97N012 4 December 1997 Electronic Commerce Ad hoc Working Group (ECAWG) Electronic Commerce Working Group report SOURCE: 10 th ICT Standards Board, Sophia Antipolis, 4 th November 1997 STATUS: for review ACTION:

2 page 2

3 ICT Standards Board ICTSB10(97)25 U Hartmann/gt 28 October 1997 page 3 10th ICT Standards Board Sophia Antipolis 4 th November 1997 Source: Title: Electronic Commerce Working Group Electronic Commerce Working Group report Agenda item: 4.2 Document for: Information 1 Background Following a request from ICTSB #9, members of the group were asked to provide updates of their activities to the Secretariat. Reports were received from CEN and ECBS as follows. 2 Report from CEN 2.1 Reorganization Since the last meeting of the ICTSB Electronic Commerce Group there has been a complete reorganization of the ICT work within CEN. The new framework of CEN/ISSS takes over the work that was previously done by CEN, EWOS, EBES and ECITC. In addition there has been a recent decision by the EBES Board to concentrate its activities on the support to the UN/ EDIFACT process and let the work of its Electronic Commerce Steering Group (ECTSG) be subsumed in the mainstream CEN/ISSS Workshop mechanism. 2.2 Electronic Commerce Workshop It is intended to establish a dedicated Electronic Commerce early in An open planning meeting will take place take place on 21 November in Brussels. Already there are 2 work items under consideration and for which calls for experts have been issued: Product and Data Harmonization The aim is to build a repository of objects in a human processable neutral format - i.e. in Phase I the format is not important, only the content - termed the Common Object Repository. Message implementation Guidelines (MIGs) The aim is to provide a single focus, open repository (such as a web site) which will index or hold MIGs in readable and/or processable formats.

4 page Related work Other work related to electronic commerce is also being undertaken or considered within the framework of CEN/ISSS Card related secure commercial and financial transactions on open networks This work, which is being undertaken jointly by a CEN/TC224 and ISO/TC68 study group, has been presented before to the ICTSB. It has just received funding from the European Commission and now has revised deadlines as follows: Interim report: May Final report: December Interoperable C-SET A meeting has been held under the auspices of CEN/ISSS with the C-SET Consortium (Cartes Bancaires and Banksys) at which various interested parties expressed their views. The consortium stated that it wished to input its work into the standardization process and it was agreed that this could form part of the activities of the Electronic Commerce Workshop - see 2.2 above. A resource requirement for such a workshop activity will be prepared for the preparatory meeting on 21 November. A further meeting of the interested parties will be held on 7 November. 3 Report from ECBS on electronic purchasing activities ECBS has become increasingly involved in the area of Electronic Commerce, which is expected to be one of the major topics for the future. The Technical Committee on security (TC4) focuses mainly on information security. The activity of this Technical Committee includes Certification Authorities (Trusted Third Parties) Financial transactions are mainly processed by automatic systems and exchanged in digital formats that need to be properly authenticated. A widespread use of digital signatures, however, is strongly dependent on economic solutions for key management problems. The use of a Certification Authority would significantly simplify this problem. The banking industry requires guidance and agreement on how to operate a Certification Authority for cryptographic keys, even more so now that public key algorithms are used more frequently for providing security for industry mechanisms. It is therefore desirable to ensure that the certification functions are managed properly by the financial sector. Conventionally Chambers of Commerce perform the work of Trusted Third Parties or Certification Authorities. A statement of the specific requirements for Certification Authority for the banking sector is still awaited. Progress on establishing a clear statement of requirements for the European banking sector in relation to Certification Authorities is under study. A working group studied the draft American standard, ANSI X9.57 on Certification Management as well as other relevant work in this area. A Technical Report on Certification Authorities will give guidelines on how to use a Certification Authority within the banking industry. Additionally, the report will specify the contents of the certificate and give recommendations on how to implement the available standards in this area. (DTR 402, Certification Authorities, to be published soon, draft available). Digital Signatures

5 page 5 An effective digital signature requires a public key algorithm, a secure hash algorithm, and a system of key management. To achieve interoperability requires agreement on standards for these items, plus agreement on the security procedures of a trusted third party (or certification agency). An ECBS standard for the use of a digital signature algorithm and the mode of operation is needed for interoperability between banks in Europe. A strong standard developed by the banking industry for its own use would be commercially extremely attractive for the bank to corporate environment. This standard would be optional, but would be available for use, as required, by members in circumstances such as those covered in the ECBS standard for a generic cross border credit transfer. The work includes an assessment of work being carried out at ISO/IEC JTC1 SC27 and ISO/TC68. Secure Banking over the Internet European banks must position themselves regarding: the use of Internet for global banking services; the use of Internet for internal purposes; new banking applications brought forward by global information infrastructures. The Technical Report provides a set of recommendations on how banks can securely execute banking transactions over the Internet and, secondly, it provides a set of recommendations on how banks can securely connect to the Internet. Security and business requirements have been specified. (TR 401, Secure Banking over the Internet, published in March 1997). ECBS will carefully monitor the work in this area carried out by other organisations and seek to influence the process when the outcome may have an impact on the banking industry. The work covers both software only solutions and solutions based on tokens and provides both a short term and a long-term recommendation. Additionally, migration from software only solutions to token solutions should be possible and will be examined. Key Escrow The use of strong cryptographic mechanisms is a prerequisite to the success of electronic commerce. Digital signature (and similar) mechanisms are required to provide proof of the origin and integrity of electronic data, while encryption is needed to protect personal information, static authentication data and other confidential information against unauthorised disclosure. While, in general, there is no problem with the use of strong cryptographic techniques to provide authentication and integrity mechanisms, many governments are concerned that the usage of unbreakable encryption technology by criminals would make their law enforcement and national security objectives difficult, even impossible, to achieve. Essentially, key escrow systems seek to provide law enforcement and national security agencies with access to the cryptographic key(s) necessary to decrypt encrypted telecommunications traffic that has been obtained from a telecommunications service provider via lawful intercept. The cryptographic keys in question are held in escrow by a Trusted Third Party. Generally, financial institutions have until now been the sole commercial users of strong cryptographic techniques. Some European countries have introduced, or are strongly considering, requirements for the escrow of confidentiality keys. However, there is no uniform approach, and some countries may not adopt key escrow. Financial institutions are naturally concerned to ensure that they can continue to provide adequate protection to financial services, both within national boundaries, and cross border. ECBS is planning a Technical Report on these issues. It will summarise the issues surrounding the use of strong cryptography to protect transmitted and stored information; provide a bibliography of sources of information on key escrow and related techniques;

6 page 6 review existing and emerging legislation controlling the use of strong cryptographic techniques in a number of European countries; propose a set of technical principles that ECBS can adopt for use by its members as a formal position statement. 4 Other information 4.1 Smart Card Forum for Europe A meeting of Smart Card interested parties was held under the auspices of the UK Department of Trade and Industry on 1 and 2 October The purpose of the meeting was to examine whether a European Forum to support the Smart Card Industry would be of sufficient benefit to justify the effort and cost involved. Some areas were highlighted as possibly needing consensus: Security and privacy Access Systems for the disabled Codes of Practice and Conduct Common items of Specifications and Standards Use of Biometrics Regulations and Legislation Multi-Application Cards Consumer Protection It was agreed that a EFORUM Start-up group should be set up (with CEN/ISSS on the membership) to put together draft terms of reference, membership, options for funding, methods of operating etc. Clearly there is potential for some of this work being directed towards the members of ICTSB.