eidas Regulation in the context of Cybersecurity: Electronic seals and website certificates: Two sides of a (gold) medal?

Similar documents
Electronic signature framework

eidas-compliant signing of PDF

eidas Regulation eid and assurance levels Outcome of eias study

eidas Regulation (EU) 910/2014 eidas implementation State of Play

European Commission s proposal for a Regulation on Electronic identification and trust services for electronic transactions in the EU internal market

Digitalisation and electronic signatures

Countdown to eidas. Date: 19/04/2016 Auteur: CTIE Révision: 1.0 Ref: EIDAS_CTIE_4 Page 1

Address: B2, Industry Street, Qormi, QRM 3000 (Malta) Telephone: (+356) Fax: (+356) Web: ANF AC MALTA, LTD

ETSI ESI and Signature Validation Services

Cosmos POFESSIONALS OF SAFETY ENGINEERING

Electronic registered delivery services (ERDS) in light of the eidas regulation. Warsaw Common Sign Conference 2015

Digital Austria = egov best practice in d Europe

EXBO e-signing Automated for scanned invoices

eidas Workshop Return on Experience from Conformity Assessment Bodies - EY June 13, 2016 Contacts: Arvid Vermote

PSD2/EIDAS DEMONSTRATIONS

TRUSTIS FPS. Enrolment Requirements: Acceptable Evidence in Support of an Application for a Digital Certificate

eidas & e-delivery CE Midsummer Conference "The role of policy decisions in the postal & delivery industry", Copenhagen (DK), 12 June 2017

Lao PDR Practice for Information Security

QUICKSIGN Registration Policy

FOR QTSPs BASED ON STANDARDS

IAS2. Electronic signatures & electronic seals Up-dates - feedbacks from :

Registro Nacional de Asociaciones. Número CIF G

simply secure IncaMail Information security Version: V01.10 Date: 16. March 2018 Post CH Ltd 1 / 12

Call for Expressions of Interest

DAkkS Who we are. Attesting competence, Assuring quality, Creating confidence.

CEN & ETSI standards & eidas Compliance

IFY e-signing Automated for scanned invoices

THE CO-OPERATIVE BANK OF KENYA LIMITED

Security guidelines on the appropriate use of qualified electronic seals Guidance for users

Can eid card make life easier and more secure? Michal Ševčík Industry Solution Consultant Hewlett-Packard, Slovakia ITAPA, November 9 th, 2010

Trust Services for Electronic Transactions

Comparison of Electronic Signature between Europe and Japan: Possibiltiy of Mutual Recognition

ETSI TR V1.1.1 ( )

Sándor Szőke, Dr. Microsec Ltd. Migration of national PKI Services to eidas conformant Trust Services case study in Hungary

Registry for identifiers assigned by the Swedish e-identification board

eid building block Introduction to the Connecting Europe Facility DIGIT Directorate-General for Informatics

eias Study on an electronic identification, authentication and signature policy SUPERVISION Presentation on status

PRICE LIST TRUST SERVICE PRODUCTS. Price List Version 5.9 Berlin, April Copyright 2018, Bundesdruckerei GmbH. Seite 1/9

SSL/TSL EV Certificates

Electronic and digital signatures in Adobe Sign for government.

Controlled Document Page 1 of 6. Effective Date: 6/19/13. Approved by: CAB/F. Approved on: 6/19/13. Version Supersedes:

Privacy Statement for Use of the Trust Service of Swisscom IT Services Finance S.E., Austria

SAT for eid [EIRA extension]

Legal notice in a newsletter What do you need to know?

Digital Signatures Act 1

Questionnaire For Company / LLP Registration

Draft ETSI TS V0.0.3 ( )

Security Aspects of Trust Services Providers

Ordering procedure for Signing Server Token

eidas compliant Trust Services with Utimaco HSMs

ETSI Electronic Signatures and Infrastructures (ESI) TC

ETSI STF 412 AUDIT GUIDELINES FOR EVC (24 TH JAN 2012)

Digital Certificates. PKI and other TTPs. 3.3

e SENS Pilots of eid, esignatures and Trusted Services

Certification Practice Statement

ETSI - European CA-Day. November 29th 2012 I Dr. Kim Nguyen, Chief Scientist Security, Managing Director D-Trust

Disclosure text - PDS (PKI Disclosure Statement) for electronic signature and authentication certificates

ETSI European CA DAY TRUST SERVICE PROVIDER (TSP) CONFORMITY ASSESSMENT FRAMEWORK. Presented by Nick Pope, ETSI STF 427 Leader

UDRP Pilot Project. 1. Simplified way of sending signed hardcopies of Complaints and/or Responses to the Provider (Par. 3(b), Par. 5(b) of the Rules)

European Union Agency for Network and Information Security

PAA PKI Mutual Recognition Framework. Copyright PAA, All Rights Reserved 1

Session 1. esignature and eseal validation landscape. Presented by Sylvie Lacroix esignature and eseal validation workshop, Jan

Krajowa Izba Rozliczeniowa S.A.

ETSY.COM - PRIVACY POLICY

e-sens Electronic Simple European Networked Services

Interoperability & Archives in the European Commission

ACCREDITATION: A BRIEFING FOR GOVERNMENTS AND REGULATORS

eidas Regulation (EU) 910/2014 and the Connecting Europe Facility Boosting trust & security in the Digital Single Market

Technical Trust Policy

Ordering procedure for Signing Server Token / SMS

Privacy Statement for Use of the Certification Service of Swisscom (sales name: "All-in Signing Service")

Guidance for Requirements for qualified trust service providers: trustworthy systems and products

Public Key Infrastructure PKI. National Digital Certification Center Information Technology Authority Sultanate of Oman

PRIVACY COMMITMENT. Information We Collect and How We Use It. Effective Date: July 2, 2018

THE LEGALITY OF THE ELECTRONIC SIGNATURE IN THE EUROPEAN UNION

Trust Service Provider Technical Best Practices Considering the EU eidas Regulation (910/2014)

Singapore s National Digital Identity (NDI):

Data subject ( Customer or Data subject ): individual to whom personal data relates.

3. What is the name of the organisation that runs your business registry?

TATA CONSULTANCY SERVICES LIMITED CERTIFYING AUTHORITY REQUEST FORM FOR CLASS-2 CERTIFICATE / / Version Class-2 Certificate (Company)

Gateway Certification Authority pilot project

ILNAS/PSCQ/Pr004 Qualification of technical assessors

in a National Service Delivery Model 3 rd Annual Privacy, Access and Security Congress October 4, 2012

Conformity and Interoperability Key Prerequisites for Security of eid documents. Holger Funke, 27 th April 2017, ID4Africa Windhoek

Audit Attestation for FINA

FAQ about the General Data Protection Regulation (GDPR)

Emsi Privacy Shield Policy

Certification Policy for Legal Representatives of Legal Persons Certificate. Certificate Profile

ETSI TC ESI WORK ON ELECTRONIC REGISTERED DELIVERY SERVICES AND REGISTERED ELECTRONIC MAIL

Handwritten signatures are EOL Panos Vassiliadis

Krajowa Izba Rozliczeniowa S.A.

Trusted Identities That Drive Global Commerce

PKI Disclosure Statement Digidentity Certificates

Audit Attestation for. Fabrica Nacional de Moneda y Timbre Real Casa. de la Moneda

Efficient, broad-based solution for a Swiss digital ID

ISO/IEC TR Information technology Security techniques Guidelines for the use and management of Trusted Third Party services

ADMINISTRATION DEPARTMENT TENDER FOR RENEWAL OF EXISTING KASPERSKY ANTIVIRUS TOTAL SECURITTY FOR BUSINESS LICENSES FOR USE AT NIT KARACHI

ENISA s Position on the NIS Directive

CertDigital Certification Services Policy

ITU Workshop on Security Aspects of Blockchain (Geneva, Switzerland, 21 March 2017) Blockchains risk or mitigation?

Transcription:

eidas Regulation in the context of Cybersecurity: Electronic seals and website certificates: Two sides of a (gold) medal? public 1

AGENDA 1. eidas Strategic View 2. Website Certificates 3. Electronic Seals 4. Identification of Legal Persons 5. Business Integration 6. Synthesis public 2

eidas 2012: Pan European Trust Services eregistered Delivery esignature Timestamps crossborder eid eseals Website-Auth public 3

eidas: Pan European Trust Services eregistered Delivery esignature Timestamps eidas crossborder eid eseals Website-Auth public 4

eidas: Pan European Trust Services in Force since 9/14 ehealth ebanking egovernment eidas ebusiness etender econtrating public 5

NEW APPROACH FOR LEGAL FRAMEWORK: EU EIDAS- REGULATION EU regulation on electronic identification and trust services for electronic transactions in the internal market. Added Mutual recognition of electronic identification [E-ID] Extended Supervision of Certification Service Providers to Trust Service Providers, includes proactive supervision Qualified Electronic trust services: Electronic signatures interoperability and usability, Electronic seals interoperability and usability, Time stamping, Electronic delivery service, Electronic documents admissibility, Website authentication. ETSI 2012. All rights reserved public 6

NEW APPROACH FOR LEGAL FRAMEWORK: EU EIDAS- REGULATION website authentication certificates (aka Q WACs) ETSI 2012. All rights reserved public 7

CA/B-FORUM: PHISHING IN 2006 public 8

CA/B-FORUM GREEN BAR CONCEPT FOR WEBSITE CERTS public 9

EIDAS REGULATION: DEFINITIONS Website authentication services provide a means by which a visitor to a website can be assured that there is a genuine and legitimate entity standing behind the website../ this Regulation should lay down minimal security and liability obligations for the providers and their services. To that end, the results of existing industry led initiatives, for example the Certification Authorities / Browsers Forum - CA/B Forum, have been taken into account. (38) ' certificate for website authentication' means an attestation that makes it possible to authenticate a website and links the website to the natural or legal person to whom the certificate is issued; (39) 'qualified certificate for website authentication' means a certificate for website authentication, which is issued by a qualified trust service provider and meets the requirements laid down in Annex IV; 0 public 10

1 public 11

1 public 12

Qualified WACS without Rootstore Integration or TSL Acceptance 3 public 13

NEW APPROACH FOR LEGAL FRAMEWORK: EU EIDAS- REGULATION electronic seals 4 public 14

DEFINITION/CLASSIFICATION Article 3(25) of the eidas Regulation "Electronic seal" means data in electronic form, which is attached to or logically associated with other data in electronic form to ensure the latter's origin and integrity. Two (security) levels "Advanced electronic seal" "Qualified electronic seal" Public authority seal and company stamp are being transported into the age of the Internet reliable, legally binding, recognised throughout Europe public 15

DEFINITION/CLASSIFICATION Article 36 of the eidas Regulation "Advanced electronic seal" is an electronic seal that meets the following requirements: it is uniquely linked to the creator of the seal; it is capable of identifying the creator of the seal; it is created using electronic seal creation data that the creator of the seal can, with a high level of confidence under its control, use for electronic seal creation; and it is linked to the data to which it relates in such a way that any subsequent change in the data is detectable. "Qualified electronic seal" is an advanced electronic seal; which is created by a qualified electronic seal creation device; and that is based on a qualified certificate for electronic seals. public 16

DEFINITION/CLASSIFICATION Aims of the electronic seal Article 59 and 65; Section 5, Article 35 (1) of the eidas Regulation Evidence that an electronic document was issued by a legal person Confirmation of the origin and integrity of a document Legal effect and admissibility as evidence in legal proceedings Authentication of documents issued by legal persons Authentication of digital assets of legal persons (!) No signature as willfull act replacement Electronic seal as proof of origin of a document public 17

DEFINITION/CLASSIFICATION Principles of operation Trust service providers issue an electronic certificate that clearly identifies the relevant legal persons; contains the technical components for signing, authentication and encryption; can also contain certificate attributes, such as number in the Commercial Register or Chamber of Industry and Commerce, VAT ID No., employer number. public 18

TARGET GROUPS Seal managing offices Municipal authorities (tax offices, registry offices, aliens' registration authorities, etc.), federal-state authorities, government authorities, police, courts, schools, universities, churches, chambers of industry and commerce, etc. for certification/deeds/certificates, etc. Electronic seal as an "official seal" on the Internet Private-sector businesses and organisations: Electronic seal as the counterpart to the company stamp/stationary in order to guarantee the authenticity of the sender and document (e.g. insurance companies, banks) Electronic seal as "ID for companies" on the Internet public 19

PRACTICAL IMPLEMENTATION OF A SEAL PROCESS Silent application... Legal person (Seals) Hash value (Verification) Authentication process Seals/ Verification Result and handover Document public 20

OPTIONS FOR USE For public authorities Electronic certification and deeds Certificate for professional qualifications/certificates For private companies Business tax returns Electronic contract awarding Issuing electronic bids Signing electronic invoices For private companies and public authorities Issuing electronic information and notices E-mail security (signature and encryption) Business to Government identification Evidence for electronic archives/replacement scanning public 22

APPLICATION EXAMPLES Statutory health insurance companies Notices Information regarding services Information regarding applicable statutory conditions Information regarding increases/reductions in contributions Overview of contribution payments, and much more Are sent on paper as bulk letters Electronic seal guarantees the authenticity of the sender and document when this letter is sent in electronic form Allows legal persons to change from paper-based documents to electronic documents while maintaining legal effect public 23

NEW APPROACH FOR LEGAL FRAMEWORK: EU EIDAS- REGULATION Electronic Seals versus Website Authentication. 4 ETSI 2012. All rights reserved public 24

EIDAS DEFINITION IN THE ANNEX Qualified Website Certificates (b) for a legal person: the name and, where applicable, registration number as stated in the official records, for a natural person: the person's name; (c) for natural persons: at least the name of the person to whom the certificate has been issued, or a pseudonym. If a pseudonym is used, it shall be clearly indicated; for legal persons: at least the name of the legal person to whom the certificate is issued and, where applicable, registration number as stated in the official records; (d)elements of the address, including at least city and State, of the natural or legal person to whom the certificate is issued and, where applicable, as stated in the official records; (e) the domain name(s) operated by the natural or legal person to whom the certificate is issued; Qualified Seal (b) - for a legal person: the name and, where applicable, registration number as stated in the official records, for a natural person: the person's name; (c) at least the name of the creator of the seal and, where applicable, registration number as stated in the official records; public 25

Identification of a legal person public 26

DEFINITION OF IDENTIFIER ACCORDING TO ETSI http://www.etsi.org/deliver/etsi_en/319400_319499/31941201/01.00.00_20/en_3 1941201v010000a.pdf The semantics of id-etsi-qcs-semanticsid-legal shall be as follows. When the legal person semantics identifier is included, any present organizationidentifier attribute in the subject field shall contain information using the following structure in the presented order: 3 character legal person identity type reference; 2 character ISO 3166 [2] country code; hyphen-minus "-" (0x2D (ASCII), U+002D (UTF-8)); and identifier (according to country and identity type reference). The three initial characters shall have one of the following defined values: 1) "VAT" for identification based on a national value added tax identification number. 2) "NTR" for identification based on an identifier from a national trade register. public 27

OVERVIEW OF LEGAL PERSONS IN GERMANY a. Public bodies b. Associations, foundations c. Co-operatives d. Corporations e. Partnerships f. Freelance professions Other semantic identifiers for legal persons must be introduced at national and international level so that seals can be issued according to eidas. public 28

CONCLUSION Generally speaking, the fields of application for seals and web certificates are very different. The identification requirements for a legal person are largely identical where seals and web certificates are concerned. This means that a user only needs to be identified just once and can request and use both services via a trust service provider. public 29

DISCLAIMER Enrico Entschew E-mail: enrico.entschew@bdr.de Telephone: +49 (0) 30-2598-3070 Arno Fiedler Dienstleister E-Mail: arno.fiedler@nimbus-berlin.com Telephone: +49-172-3053272 Please note: This presentation is the property of Bundesdruckerei GmbH. All of the information contained herein may not be copied, distributed or published, as a whole or in part without the approval of Bundesdruckerei GmbH. Copyright 2015 by Bundesdruckerei GmbH. public 30

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback