SSL/TSL EV Certificates

Similar documents
ETSI European CA DAY TRUST SERVICE PROVIDER (TSP) CONFORMITY ASSESSMENT FRAMEWORK. Presented by Nick Pope, ETSI STF 427 Leader

ETSI ESI and Signature Validation Services

ETSI Electronic Signatures and Infrastructures (ESI) TC

Trust Service Provider Technical Best Practices Considering the EU eidas Regulation (910/2014)

ETSI TR V1.1.1 ( )

EU e-signature standardisation mandate m460

UPDATE ON CEN & ETSI STANDARDISATION ON SIGNATURES

ETSI STF 412 AUDIT GUIDELINES FOR EVC (24 TH JAN 2012)

CEN & ETSI standards & eidas Compliance

Public Key Infrastructure PKI. National Digital Certification Center Information Technology Authority Sultanate of Oman

(1) Jisc (Company Registration Number ) whose registered office is at One Castlepark, Tower Hill, Bristol, BS2 0JA ( JISC ); and

DIGITALSIGN - CERTIFICADORA DIGITAL, SA.

Bugzilla ID: Bugzilla Summary:

AUDIT GUIDELINES FOR A GOV TSP TSP OF THE BASQUE ADMINISTRATION

Sándor Szőke, Dr. Microsec Ltd. Migration of national PKI Services to eidas conformant Trust Services case study in Hungary

eidas Workshop Return on Experience from Conformity Assessment Bodies - EY June 13, 2016 Contacts: Arvid Vermote

ILNAS/PSCQ/Pr004 Qualification of technical assessors

Comparison of Electronic Signature between Europe and Japan: Possibiltiy of Mutual Recognition

FOR QTSPs BASED ON STANDARDS

CERTIFICATE POLICY CIGNA PKI Certificates

Session 1. esignature and eseal validation landscape. Presented by Sylvie Lacroix esignature and eseal validation workshop, Jan

Issues in Assessing Commercial Certification Service Trust

Disclosure text - PDS (PKI Disclosure Statement) for electronic signature and authentication certificates

Cosmos POFESSIONALS OF SAFETY ENGINEERING

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

ETSI TC ESI WORK ON ELECTRONIC REGISTERED DELIVERY SERVICES AND REGISTERED ELECTRONIC MAIL

Certification Policy of CERTUM s Certification Services Version 4.0 Effective date: 11 August 2017 Status: archive

EIDAS-2016 CHAMBERS OF COMMERCE ROOT and GLOBAL CHAMBERSIGN ROOT Version 1.2.3

PAA PKI Mutual Recognition Framework. Copyright PAA, All Rights Reserved 1

Trust Services Practice Statement

eidas compliant Trust Services with Utimaco HSMs

Draft ETSI EN V1.2.0 ( )

Digital signatures: How it s done in PDF

Policy for electronic signature based on certificates issued by the hierarchies of. ANF Autoridad de Certificación

The current status of Esi TC and the future of electronic signatures

OISTE-WISeKey Global Trust Model

CertDigital Certification Services Policy

Management Assertion Logius 2013

Certification Practice Statement certsign SSL EV CA Class 3. for SSL EV Certificates. Version 1.0. Date: 31 January 2018

Dark Matter L.L.C. DarkMatter Certification Authority

Countdown to eidas. Date: 19/04/2016 Auteur: CTIE Révision: 1.0 Ref: EIDAS_CTIE_4 Page 1

Electronic and digital signatures in Adobe Sign for government.

ING Public Key Infrastructure Technical Certificate Policy

Guidance for Requirements for qualified trust service providers: trustworthy systems and products

Certification Practice Statement

THE BUSINESS VALUE OF EXTENDED VALIDATION

QUICKSIGN Registration Policy

eidas-compliant signing of PDF

Certificate. Certificate number: Certified by EY CertifyPoint since: July 10, 2018

Apple Corporate Certificates Certificate Policy and Certification Practice Statement. Apple Inc.

eias Study on an electronic identification, authentication and signature policy SUPERVISION Presentation on status

Electronic Seal Administrator Guide Published:December 27, 2017

IAS2. Electronic signatures & electronic seals Up-dates - feedbacks from :

Belgian Certificate Policy & Practice Statement for eid PKI infrastructure Foreigner CA

Digital Certificates. PKI and other TTPs. 3.3

SSL Certificates Certificate Policy (CP)

Digital Signatures: How Close Is Europe to Truly Interoperable Solutions?

UNCONTROLLED IF PRINTED

ON THE PROVISION OF CERTIFICATES FOR WEBSITE AUTHENTICATION BY BORICA AD

ING Corporate PKI G3 Internal Certificate Policy

TECHNICAL REPORT Electronic Signatures and Infrastructures (ESI); Guidance on the use of standards for cryptographic suites

Identity Documents Personalisation Centre. Conformity Assessment Report: Conformity Certificate and Summary. T-Systems

Test Signature Policy Version 1.0

SSL.com Certificate Policy and Certification Practice Statement SSL.COM CP/CPS VERSION 1.4

SEMI 4845 NEW STANDARD:

GlobalSign Certification Practice Statement

EXBO e-signing Automated for scanned invoices

DigiCert. Certificate Policy. DigiCert, Inc. Version 4.11 February 23, 2017

Electronic signature framework

QUALIFYING ATTESTATION LETTER

European Commission s proposal for a Regulation on Electronic identification and trust services for electronic transactions in the EU internal market

thawte Certification Practice Statement Version 3.4

Digi-CPS. Certificate Practice Statement v3.6. Certificate Practice Statement from Digi-Sign Limited.

AeroMACS Public Key Infrastructure (PKI) Users Overview

DigiCert. Certificate Policy. DigiCert, Inc. Version 4.05 May 2, 2013

QUALIFYING ATTESTATION LETTER

Unisys Corporation April 28, 2017

DigiCert. Certificate Policy. DigiCert, Inc. Version 4.12 September 8, 2017

GlobalSign Certificate Policy

Apple Inc. Certification Authority Certification Practice Statement Worldwide Developer Relations Version 1.10 Effective Date: June 10, 2013

Certification Practices Statement

DECISION OF THE EUROPEAN CENTRAL BANK

DigiCert. Certificate Policy

Gateway Certification Authority pilot project

_isms_27001_fnd_en_sample_set01_v2, Group A

Certificate Policy (ETSI EN ) Version 1.1

CORPME TRUST SERVICE PROVIDER

EXPOSURE DRAFT. Based on: CA/Browser Forum. Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates Version 1.1.

Apple Inc. Certification Authority Certification Practice Statement

EDTA, itext and INBATEK Conference. Bangkok, July 27, 2017

KeyOne. Certification Authority

INSTRUCTION FOR OPERATION WITH DESKTOP SIGNER

DRAFT REVISIONS BR DOMAIN VALIDATION

AlphaSSL Certification Practice Statement

Apple Inc. Certification Authority Certification Practice Statement

Certificate Policy for the Chunghwa Telecom ecommerce Public Key Infrastructure. Version 1.5

GlobalSign Certification Practice Statement

Certification Practices Statement

Certification Practices Statement

Certification Practice Statement of the Federal Reserve Banks Services Public Key Infrastructure

Transcription:

SSL/TSL EV Certificates CA/Browser Forum Exploratory seminar on e-signatures for e-business in the South Mediterranean region 11-12 November 2013, Amman, Jordan Moudrick DADASHOW CEO, Skaitmeninio Sertifikavimo Centras, Lithuania

History and development 1991 concept of secure sockets (end-point authentication, data confidentiality and integrity) 1993 SNP - Secure Network Programming (secure network programming for the masses) 1995 SSL - Secure Sockets Layer (a proprietary protocol, by Netscape) 1996 SSL version 3.0 (in 2011 published as RFC 6101) CA/Browser Forum 1999 TLS - Transport Layer Security (an open IETF protocol, ver. 1.0: RFC 2246, ver. 1.2: RFC 5246, 2008)

CA/Browser Forum Major characteristics Privacy (based on cryptographic encryption) Integrity (based on digital signature) Application independence (web browsing, e-mail, software updating, DB access, VPN and others) Authentication (based on X.509 certificates)

CA/Browser Forum Frameworks 1995 1996 (BS 7799, EU Recommendation on ITSEC, ABA DS Guidelines) 1997-1999 (EU Requirements for TTP - EG 201 057, IETF RFC 2527, NIST IR COTS PP) 2000-2003 (ANSI X9.79, WebTrust for CAs, ETSI TS 101 456/102 042, ABA PKI GL) 2005 2007 (CA / Browser Forum EV SSL GL, ISO 27001/ISO 27002) 2011-2013 (ETSI EN 319 411-2/3, CA/B Forum BR, NIST IR 7924, ISO 27007/27008)

CA/Browser Forum developments CA/Browser Forum Voluntary consortium (37 CAs, 5 OS/Browser vendors, other interested parties, no regulatory or industry powers over its members) Membership Requirements (Members: Issuing/Root CA or OS/Browser supplier. Bylaws, IPR) Interested parties: IPR, Bylaws, PA. Activities: WG/Meetings/Public ML) Work principles (Agenda-setting/Problem-identification, Teleconference/Face to Face meetings, Rules Drafting, Decision Making/Voting, Implementation, Evaluation) Conduct (IPR Policy, Antitrust Laws and Regulations, no product/service promotion or restriction activities)

CA/Browser Forum documents CA/Browser Forum EV SSL Certificate Guidelines Version 1.4.3 (effective 7/09/2013) Network and CS Security Requirements (effective 1/01/2013) Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates Version 1.1.6 (effective 7/29/2013) Baseline Requirements for the Issuance and Management of Publicly-Trusted Code Signing Certificates (Draft version)

EV SSL Certificate CA/Browser Forum Purpose Subject controls a Web site, encrypted communications Legitimacy of a business operating a Web site EV Certificate doesn't represent or warrant: Subject is actively doing business Subject complies with laws, is trustworthy, honest, or reputable; It is safe to do business with the Subject

EV SSL Certificate CA/Browser Forum Certificate Warranties Legal Existence, Identity, Right to Use Domain Name, Authorization for EV Certificate, Accuracy of Information, Subscriber Agreement, Status, Revocation Applicant Warranties Accuracy of Information, Protection of Private Key, Acceptance of Certificate, Use of Certificate, Reporting and Revocation, Termination of Use of Certificate, Responsiveness, Acknowledgment and Acceptance

EV SSL Certificate CA/Browser Forum Applicability CA and its Root CA satisfy the requirements, CP/CPS Implementation and Disclosure, Commitment to Comply with EVG: precedence over CA's EV policy document, Insurance) Eligibility (Private, Government, Business and Non-Commercial Entities) Content (EV Certificate Profile, Certificate Request Requirements)

EV SSL Certificate CA/Browser Forum Verification Requirements Verification of Applicant s Legal, Physical, Operational Existence Domain Name ownership Authority of Contract Signer and Certificate Approver, Signature on Subscriber Agreement and EV Certificate Requests, Approval of EV Certificate Request Requirements to CAs Certificate Issuance by a Root CA, Certificate Revocation and Status Checking, Employee and third party issues, Trustworthiness and Competence, Delegation of Functions to RAs and Subcontractors Audit Eligible Audit Schemes, Audit Period and Record

TSP Security Related Activities 1999 EU Directive Published Directive 1999/93 on Electronic Signatures 2000-2010 - CEN & ETSI published Technical Specifications in support of Directive including: ETSI TS 101 456: Policy requirements for certification authorities issuing qualified certificates ETSI TS 102 042: Policy requirements for certification authorities issuing public key certificates (non qualified) Many (but not all) adopted the ETSI Policy requirements document within varying national supervisory schemes 2007-2012 ETSI applied TS 102 042 to CAB Forum Enhanced & Baseline Requirements for Web Certificate 2012-2015 Becoming European Norms aiming at proposed regulatory framework for Trust Service Providers 11 ETSI 2013 All rights reserved

esignature Standards Framework 6 6 Trusted Lists Providers List of TSP services approved (supervised) by National Bodies (e.g. Trusted Lists) Certificate Authority Time-stamping Signing Servers Validation Services TSPs supporting esignature 4 4 5 5 Trust Application Service Providers Registered email Long term preservation Rules & procedures Formats Signature Creation / Validation Protection Profiles 1 1 Signature Creation & Validation XAdES (XML) (ISO 14533-1) CAdES (CMS) (ISO 14533-2) PAdES (PDF) (ISO 32000-2) AdES in Mobile envmts ASiC (containers) (CEN) Common Criteria Protection profiles Smart Cards HSMs Signing services Signature 2 Cryptographic Suites Creation Devices 2 3 3 Key generation Hash functions Signature algorithms Key lengths... 12 ETSI 2013 All rights reserved

Policy Requirements Document Structure EN 319 401 General Policy Requirements for TSPs EN 319 411-2 CA Issuing Qualified Certificates EN 319 411-3 CA Issuing Public Key Certificates EN 319 411-4 CA Issuing Web Site Certificates. TS 101 456 & TS 102 042 republished as European Norms General requirements moved to EN 319 401 EN 319 411-2 = TS 101 456 (published Jan 2013) EN 319 411-3 = TS 102 042 (published Jan 2013) EN 319 411-4 (draft to be published 2014) = Elements TS 102 042 relating to CAB Guide CAB Forum Web Cert Guide

TSP Conformity Assessment New EN 319 403 under development provides harmonised regime for auditing TSPs against ETSI policy requirements (e.g. EN 319 411-x) Specifies requirements for: Capabilities of Auditor Procedures for carrying carried out Content of audit report Based on International Standards ISO 17065 Requirements for Conformity Assessment Bodies Auditing Services ISO 27006 Requirements for Information Security Management System Audit 14 ETSI 2013 All rights reserved

TSP Conformity Assessment Model: Regulatory Adoption Conformity Assessment Body Competence Accredited in line with ISO 17021 / 17065 Based on Audit report TSP status Set in Trusted List by National Aut y Audit TSP Against standard criteria (e.g. EN 319 411-2) 15 ETSI 2013 All rights reserved

TSP Conformity Assessment : Non-Regulatory Adoption 16 ETSI 2013 All rights reserved

ETSI Key Points ETSI TSP Standards (TS 102 042 etc) adopted in EU, as well Southern Mediterranean, South America, Japan, CAB Forum. Available as European Norms EN 319 403 will provide harmonised audit regime for Regulatory and non-regulatory environments Further Information: http://portal.etsi.org/esi/esi_activities.asp Subscribe to the E-SIGNATURES_NEWS mailing list 17 ETSI 2013 All rights reserved

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback