Séminaire sur la Certification Electronique

Similar documents
Certification Authority

GovernmentOnline Gatekeeper The Government s Public Key Infrastructure

US Federal PKI Bridge. Ram Banerjee VP Vertical Markets

Electronic signature framework

The Arab ICT Organization

CHAPTER 13 ELECTRONIC COMMERCE

PAA PKI Mutual Recognition Framework. Copyright PAA, All Rights Reserved 1

HOST Authentication Overview ECE 525

MUTUAL RECOGNITION MECHANISMS. Tahseen Ahmad Khan

Enabling a World-Class National ICT Sector

Public Key Infrastructure PKI. National Digital Certification Center Information Technology Authority Sultanate of Oman

DECISION OF THE EUROPEAN CENTRAL BANK

5. The technology risk evaluation need only be updated when significant changes or upgrades to systems are implemented.

esign - Evolving Opportunities and Applications C E N T R E F O R D E V ELOPMENT O F A D VANCED C O MPUTING N O V E M B E R 1 5,

Sándor Szőke, Dr. Microsec Ltd. Migration of national PKI Services to eidas conformant Trust Services case study in Hungary

Singapore s National Digital Identity (NDI):

European Union Agency for Network and Information Security

SAFE-BioPharma RAS Privacy Policy

Pharma IT ELECTRONIC RECORDS

Controlled Document Page 1 of 6. Effective Date: 6/19/13. Approved by: CAB/F. Approved on: 6/19/13. Version Supersedes:

CERTIFICATE POLICY CIGNA PKI Certificates

Strategies for the Implementation of PIV I Secure Identity Credentials

PKI is Alive and Well: The Symantec Managed PKI Service

UDRP Pilot Project. 1. Simplified way of sending signed hardcopies of Complaints and/or Responses to the Provider (Par. 3(b), Par. 5(b) of the Rules)

Development of smart authentication and identification in Asia

Disclosure text - PDS (PKI Disclosure Statement) for electronic signature and authentication certificates

A comprehensive approach on personal data protection in the European Union

ING Public Key Infrastructure Technical Certificate Policy

ASEAN e-authentication Workshop Balwinder Sahota

The Match On Card Technology

Security Aspects of Trust Services Providers

Mobile Driver s License Region IV May 24, 2017 Seattle, WA

Can eid card make life easier and more secure? Michal Ševčík Industry Solution Consultant Hewlett-Packard, Slovakia ITAPA, November 9 th, 2010

CORPME TRUST SERVICE PROVIDER

Towards an Egyptian Framework for CyberSecurity

CS155b: E-Commerce. Lecture 6: Jan. 25, Security and Privacy, Continued

Next Generation Physical Access Control Systems A Smart Card Alliance Educational Institute Workshop

ASIA PKI Forum Overcome PKI Deployment Obstacles. Terry Leahy, CISSP Vice President, Wells Fargo Sept 15th, 2003

The United Nations Convention On the Use of Electronic Communication in International Contracts, 2005 and Electronic Transactions Law in Thailand

SEMIC 2013 Semantic interoperability of Civil Status Registers by the International Commission on Civil Status (ICCS-CIEC)

eid Applications Cross Border Authentication

Apple Inc. Certification Authority Certification Practice Statement

INTEGRATED SECURITY SYSTEM FOR E-GOVERNMENT BASED ON SAML STANDARD

WHITEPAPER. Security overview. podio.com

Syllabus: The syllabus is broadly structured as follows:

ISO/IEC INTERNATIONAL STANDARD. Information technology Code of practice for information security management

Electronic Commerce Working Group report

Electronic Signature Policy

State Planning Organization Information Society Department

E-Signature Law of Iraq no. ( 78) of 2012

Web Services, ebxml and XML Security

Apple Inc. Certification Authority Certification Practice Statement

ETSI TS V7.1.0 ( )

Trusted Identities That Drive Global Commerce

GLOBAL PKI TRENDS STUDY

IT Security Evaluation : Common Criteria

Getting to Grips with Public Key Infrastructure (PKI)

Apple Inc. Certification Authority Certification Practice Statement. Apple Application Integration Sub-CA Apple Application Integration 2 Sub-CA

egov & PKI By: Alaa Eldin Mahmoud Aly YOUR LOGO

Trust Services for Electronic Transactions

ITU Workshop on Security Aspects of Blockchain (Geneva, Switzerland, 21 March 2017) Blockchains risk or mitigation?

Who s Protecting Your Keys? August 2018

Comparison of Electronic Signature between Europe and Japan: Possibiltiy of Mutual Recognition

SSL Certificates Certificate Policy (CP)

Computer Networks. Network Security and Ethics. Week 14. College of Information Science and Engineering Ritsumeikan University

ETSI TR V1.1.1 ( )

Emsi Privacy Shield Policy

A NEW MODEL FOR AUTHENTICATION

E-Government Moldova s Experience and Future Perspectives

Legal framework of ensuring of cyber security in the Republic of Azerbaijan

CSE 565 Computer Security Fall 2018

Volvo Group Certificate Practice Statement

SERVICE DEFINITION G-CLOUD 7 THALES PSN REMOTE ACCESS. Classification: Open

The new standard for user authentication

Third public workshop of the Amsterdam Group and CODECS C-ITS Deployment in Europe: Common Security and Certificate Policy

Information technology Security techniques Telebiometric authentication framework using biometric hardware security module

The current status of Esi TC and the future of electronic signatures

Strong Customer Authentication and common and secure communication under PSD2. PSD2 in a nutshell

This document is a preview generated by EVS

Security and Architecture SUZANNE GRAHAM

World Telecommunication Development Conference (WTDC- 14) Dubai, 30 March 10 April 2014

e-submission Quick Reference Guide for Economic Operators

Lao PDR Practice for Information Security

Apple Inc. Certification Authority Certification Practice Statement Worldwide Developer Relations

CONCLUSIONS OF THE WESTERN BALKANS DIGITAL SUMMIT APRIL, SKOPJE

The SafeNet Security System Version 3 Overview

eidas Interoperability Architecture Version November 2015

INFORMATION TECHNOLOGY COMMITTEE ESCB-PKI PROJECT

An Overview of Secure and Authenticated Remote Access to Central Sites

PKI Credentialing Handbook

Legal, Ethical, and Professional Issues in Information Security

REGIONAL WORKSHOP ON E-COMMERCE LEGISLATION HARMONIZATION IN THE CARIBBEAN COMBATING CYBERCRIME: TOOLS AND CAPACITY BUILDING FOR EMERGING ECONOMIES

U.S. E-Authentication Interoperability Lab Engineer

TeliaSonera Gateway Certificate Policy and Certification Practice Statement

Registration and Authentication

Certificateless Public Key Cryptography

e-sign and TimeStamping

Privacy Statement. Your privacy and trust are important to us and this Privacy Statement ( Statement ) provides important information

Network Security Essentials

ING Corporate PKI G3 Internal Certificate Policy

Transcription:

Séminaire sur la Certification Electronique Algiers Algeria, 8-9 December, 2009 International Telecommunication Arab Regional Office Assisting Governments in Developing e-commerce Ecosystems: A Synthesis of Global Experience David Satola Conseiller Juridique Principal Banque Mondiale dsatola@worldbank.org

Outline The Process of Reform Methods of Authentication Legal and Regulatory Enabling Environment UNCITRAL

e-commerce Ecosystem Designing a legal & regulatory enabling framework that responds to local needs and is informed by international experience of which PKI is a part with institutional design to enhance trust Certainty Predictability Increased Confidence and Use

Types of E-commerce Activities Government ( G ) Business ( B ) Consumer ( C ) Government G2G coordination G2B information G2C information Business B2G government procurement B2B-ecommerce between businesses B2C e- commerce in consumer markets Consumer C2G e.g., tax compliance C2B price & other comparisons C2C auction markets Jonathan Coppel, E-Commerce: Impacts and Policy Challenges 4 (OECD Economic Department Working Paper No. 252 23 June 2000)

Legal Framework Design But International Models, Conventions Regional Norms, Initiatives Other Nation s Experience

Current Structure New Structure Stage 1 Reform Process Issue Identification & Resolution Stage 2 Stage 3 Status Quo Issues Strategies Implementation Policies & Objectives LEGAL REFORM Broad Public Consultation Stakeholder Buy-in

Outline The Process of Reform Methods of Authentication Legal and Regulatory Enabling Environment UNCITRAL

Types of E-commerce Activities Government ( G ) Business ( B ) Consumer ( C ) Government G2G coordination G2B information G2C information Business B2G government procurement B2B-ecommerce between businesses B2C e- commerce in consumer markets Consumer C2G e.g., tax compliance C2B price & other comparisons C2C auction markets Jonathan Coppel, E-Commerce: Impacts and Policy Challenges 4 (OECD Economic Department Working Paper No. 252 23 June 2000)

Methods for authenticating users of electronic signatures 1 PKI - asymmetric encryption (a secret (private) key known only to one party, when matched with the public key (held by a 3rd party) forms a pair ensuring data message authenticity. PKI involves a 3 rd party that ensures the encryption of the data message is not corrupted; PKI - preferred authentication method when high levels of certainty regarding the identity of the user are required

Methods for authenticating users of electronic signatures 2 PKI [is ] the authentication method of choice when strong evidence of identity and high legal certainty of the electronic signature is required. The use of PKI-enabled smart cards and the integration of digital certificate functions into application software, have made the use of this method less complicated for users. However, it is generally acknowledged that PKI is not required for all applications and that the choice of authentication method should be made on the basis of its suitability for the purposes for which it would be used. UNCITRAL WG IV Future Work, ACN.9/630/Add.3 The implementation of PKI is situation-specific. Even in EU Member States operating under a common set of Directives, each Member State has a different approach to use of e-signatures, including PKI.

[Other] Methods for authenticating users of electronic signatures 3 symmetric encryption (shared cryptology where the same key is used to encrypt a data message at the point of origin and decrypt it at the receiving end); passwords (1 factor) (symmetric process, e.g. ATM technology); Tokens or 2-factor authentication (similar to passwords embedded in the token tokens can be either physical or electronic); biometrics (such as retinal or other scanning); secure closed systems (dedicated computer-to-computer links or private networks); and blended systems (using one of the above digital technologies combined with an orthogonal confirmation, such as a telephone confirmation).

PKI Countries use different approaches How are certificates isued (Root CA vs. Accreditors, Bridge) Scope of use of PKI How are certificates delivered (e.g., smart cards, file transfer, etc)

PKI cont Limited use of PKI, usually linked to a weak/strong signature environment Strong signatures are appropriate for on-line transaction activities requiring a high degree of verification weak signatures may be appropriate for others (more later)

Root CA Issues Cost Publication of Certificate Practices and Policies Limitation of Liability of Gov t as Root CA Determine Scope of application of DCs Dispute Resolution Highly specialized Training required

PKI Cost cost of PKI should take account of the benefits (certainty of authentication) to be derived through the use of PKI systems Single biggest cost is establishment of the certification process For Root CAs there is additional incremental cost for each certificate issued

PKI Total Cost of Ownership A. Fixed Establishment Costs B. Variable Establishment Costs C. Fixed Annual Costs D. Variable Annual Costs Application related - All costs associated with PKI enablement of the Application, End user related - All costs associated with supporting end users, including help desk, education, and the marketing efforts Certificates - The cost or fee per certificate. RA - Costs associated with front-end registration. CA - Costs associated with the backend Certification Authority operation. Investment in security, cryptographic systems, infrastructure, personnel, facilities and compliance related activities Key media - Costs of the media in which end user private keys are conveyed. Can be close to zero for simple soft certificates, or can entail license fees for roaming soft certificate solutions. Source: OASIS PKI White Paper

Outline The Process of Reform Methods of Authentication Legal and Regulatory Enabling Environment UNCITRAL

Legal/Reg e-com Enabling Environment Basics Functional equivalence of electronic signatures and documents Non-repudiation Authentication For PKI Certification Other Forms - technology neutral. Interoperability (x-border recognition of authentication models) Levels of Security (weak vs. strong signatures) Institutional Arrangements For CA Root CA (certificate issuer) vs. Accreditor Limitation of liability for Gov t Root CA party autonomy - enables parties to establish their own authentication framework scope -types of transactions to which Law applies, exclusions

Weak vs Strong - EU Approach electronic signature : applicable to any authentication of information advanced electronic signature : digital signatures (issued be untrusted or unknown CA issuing digital certificates ) qualified electronic signature : advanced electronic signature issued by trusted CA issuing digital certificates

Legal/Reg Enabling Environment Ecosystem In addition to e-commerce issues, a functioning enabling environment will also feature, e.g.,: Digital data privacy protection Breach Notification Cybercrimes Consumer Protection Critical Infrastructure Protection IPRs Electronic Transfers (banking)

Outline The Process of Reform Methods of Authentication Legal and Regulatory Enabling Environment UNCITRAL

UNCITRAL 2 model laws (with legislative guides) e-commerce Digital Signatures available at: http://www.uncitral.org/uncitral/en/uncitral_texts/el ectronic_commerce/ these contemplate PKI, but not exclusively

UNCITRAL Convention on the Use of Electronic Communications in International Contracts, 2005 Key Features: Applies only to x-border transactions Permits legal recognition w/o changing domestic law Harmonizes e-contracting rules across other treaties Permits members to exclude certain actions through Declarations available at: http://www.uncitral.org/uncitral/en/uncitral_texts/electronic_commerce/ 2005Convention.html

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback