SSL/TSL EV Certificates CA/Browser Forum Exploratory seminar on e-signatures for e-business in the South Mediterranean region 11-12 November 2013, Amman, Jordan Moudrick DADASHOW CEO, Skaitmeninio Sertifikavimo Centras, Lithuania
History and development 1991 concept of secure sockets (end-point authentication, data confidentiality and integrity) 1993 SNP - Secure Network Programming (secure network programming for the masses) 1995 SSL - Secure Sockets Layer (a proprietary protocol, by Netscape) 1996 SSL version 3.0 (in 2011 published as RFC 6101) CA/Browser Forum 1999 TLS - Transport Layer Security (an open IETF protocol, ver. 1.0: RFC 2246, ver. 1.2: RFC 5246, 2008)
CA/Browser Forum Major characteristics Privacy (based on cryptographic encryption) Integrity (based on digital signature) Application independence (web browsing, e-mail, software updating, DB access, VPN and others) Authentication (based on X.509 certificates)
CA/Browser Forum Frameworks 1995 1996 (BS 7799, EU Recommendation on ITSEC, ABA DS Guidelines) 1997-1999 (EU Requirements for TTP - EG 201 057, IETF RFC 2527, NIST IR COTS PP) 2000-2003 (ANSI X9.79, WebTrust for CAs, ETSI TS 101 456/102 042, ABA PKI GL) 2005 2007 (CA / Browser Forum EV SSL GL, ISO 27001/ISO 27002) 2011-2013 (ETSI EN 319 411-2/3, CA/B Forum BR, NIST IR 7924, ISO 27007/27008)
CA/Browser Forum developments CA/Browser Forum Voluntary consortium (37 CAs, 5 OS/Browser vendors, other interested parties, no regulatory or industry powers over its members) Membership Requirements (Members: Issuing/Root CA or OS/Browser supplier. Bylaws, IPR) Interested parties: IPR, Bylaws, PA. Activities: WG/Meetings/Public ML) Work principles (Agenda-setting/Problem-identification, Teleconference/Face to Face meetings, Rules Drafting, Decision Making/Voting, Implementation, Evaluation) Conduct (IPR Policy, Antitrust Laws and Regulations, no product/service promotion or restriction activities)
CA/Browser Forum documents CA/Browser Forum EV SSL Certificate Guidelines Version 1.4.3 (effective 7/09/2013) Network and CS Security Requirements (effective 1/01/2013) Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates Version 1.1.6 (effective 7/29/2013) Baseline Requirements for the Issuance and Management of Publicly-Trusted Code Signing Certificates (Draft version)
EV SSL Certificate CA/Browser Forum Purpose Subject controls a Web site, encrypted communications Legitimacy of a business operating a Web site EV Certificate doesn't represent or warrant: Subject is actively doing business Subject complies with laws, is trustworthy, honest, or reputable; It is safe to do business with the Subject
EV SSL Certificate CA/Browser Forum Certificate Warranties Legal Existence, Identity, Right to Use Domain Name, Authorization for EV Certificate, Accuracy of Information, Subscriber Agreement, Status, Revocation Applicant Warranties Accuracy of Information, Protection of Private Key, Acceptance of Certificate, Use of Certificate, Reporting and Revocation, Termination of Use of Certificate, Responsiveness, Acknowledgment and Acceptance
EV SSL Certificate CA/Browser Forum Applicability CA and its Root CA satisfy the requirements, CP/CPS Implementation and Disclosure, Commitment to Comply with EVG: precedence over CA's EV policy document, Insurance) Eligibility (Private, Government, Business and Non-Commercial Entities) Content (EV Certificate Profile, Certificate Request Requirements)
EV SSL Certificate CA/Browser Forum Verification Requirements Verification of Applicant s Legal, Physical, Operational Existence Domain Name ownership Authority of Contract Signer and Certificate Approver, Signature on Subscriber Agreement and EV Certificate Requests, Approval of EV Certificate Request Requirements to CAs Certificate Issuance by a Root CA, Certificate Revocation and Status Checking, Employee and third party issues, Trustworthiness and Competence, Delegation of Functions to RAs and Subcontractors Audit Eligible Audit Schemes, Audit Period and Record
TSP Security Related Activities 1999 EU Directive Published Directive 1999/93 on Electronic Signatures 2000-2010 - CEN & ETSI published Technical Specifications in support of Directive including: ETSI TS 101 456: Policy requirements for certification authorities issuing qualified certificates ETSI TS 102 042: Policy requirements for certification authorities issuing public key certificates (non qualified) Many (but not all) adopted the ETSI Policy requirements document within varying national supervisory schemes 2007-2012 ETSI applied TS 102 042 to CAB Forum Enhanced & Baseline Requirements for Web Certificate 2012-2015 Becoming European Norms aiming at proposed regulatory framework for Trust Service Providers 11 ETSI 2013 All rights reserved
esignature Standards Framework 6 6 Trusted Lists Providers List of TSP services approved (supervised) by National Bodies (e.g. Trusted Lists) Certificate Authority Time-stamping Signing Servers Validation Services TSPs supporting esignature 4 4 5 5 Trust Application Service Providers Registered email Long term preservation Rules & procedures Formats Signature Creation / Validation Protection Profiles 1 1 Signature Creation & Validation XAdES (XML) (ISO 14533-1) CAdES (CMS) (ISO 14533-2) PAdES (PDF) (ISO 32000-2) AdES in Mobile envmts ASiC (containers) (CEN) Common Criteria Protection profiles Smart Cards HSMs Signing services Signature 2 Cryptographic Suites Creation Devices 2 3 3 Key generation Hash functions Signature algorithms Key lengths... 12 ETSI 2013 All rights reserved
Policy Requirements Document Structure EN 319 401 General Policy Requirements for TSPs EN 319 411-2 CA Issuing Qualified Certificates EN 319 411-3 CA Issuing Public Key Certificates EN 319 411-4 CA Issuing Web Site Certificates. TS 101 456 & TS 102 042 republished as European Norms General requirements moved to EN 319 401 EN 319 411-2 = TS 101 456 (published Jan 2013) EN 319 411-3 = TS 102 042 (published Jan 2013) EN 319 411-4 (draft to be published 2014) = Elements TS 102 042 relating to CAB Guide CAB Forum Web Cert Guide
TSP Conformity Assessment New EN 319 403 under development provides harmonised regime for auditing TSPs against ETSI policy requirements (e.g. EN 319 411-x) Specifies requirements for: Capabilities of Auditor Procedures for carrying carried out Content of audit report Based on International Standards ISO 17065 Requirements for Conformity Assessment Bodies Auditing Services ISO 27006 Requirements for Information Security Management System Audit 14 ETSI 2013 All rights reserved
TSP Conformity Assessment Model: Regulatory Adoption Conformity Assessment Body Competence Accredited in line with ISO 17021 / 17065 Based on Audit report TSP status Set in Trusted List by National Aut y Audit TSP Against standard criteria (e.g. EN 319 411-2) 15 ETSI 2013 All rights reserved
TSP Conformity Assessment : Non-Regulatory Adoption 16 ETSI 2013 All rights reserved
ETSI Key Points ETSI TSP Standards (TS 102 042 etc) adopted in EU, as well Southern Mediterranean, South America, Japan, CAB Forum. Available as European Norms EN 319 403 will provide harmonised audit regime for Regulatory and non-regulatory environments Further Information: http://portal.etsi.org/esi/esi_activities.asp Subscribe to the E-SIGNATURES_NEWS mailing list 17 ETSI 2013 All rights reserved