1 bridge/gateway ca project status gzim ocakoglu european commission – dg entr / idabc reykjavik...
TRANSCRIPT
1
Bridge/Gateway CA Project Status
Gzim OCAKOGLUEuropean Commission – DG ENTR / IDABC
Reykjavik – 27 May 2005
2
Outline
• Introduction to IDABC Programme• Bridge/Gateway CA Project History• Bridge/Gateway CA Pilot
– Part 1 Pilot Implementation– Part 2 Recommendations for an operational
BGCA• Conclusions
3
From IDA to IDABC
• 1995: first IDA Programme (Interchange of Data between Administration)
• 1999: IDA II• 2005 – 2009 : IDABC Programme
(Interoperable delivery of pan-European eGovernment services to Administration, Business and Citizens)
4
“The objective of the IDABC programme is to identify, support and promote the development and establishment of
• pan-European eGovernment services• and the underlying interoperable telematic
networks supporting the Member States and the Community in the implementation … of Community policies and activities,
• achieving substantial benefits for public administrations, businesses and citizens.”
Objective of IDABC
5
Why a Bridge/Gateway CA ?
• IDA PKI deployed as a stop-gap solution in IDA II Programme– Members of sectoral networks should rely on national PKIs
(Currently not available for most civil servants)• eEurope Action Plan
– support for electronic signatures in public administration
• Member States’ policy
– ability to use the electronic certificates issued by their national CAs in pan-European business
• IDA II programme policy
– encourage interoperability, use of standards, use of e-signature, etc.
– Conclusions from previous projects
6
Objective of the Bridge/Gateway CA Pilot
• to establish an intermediate trust infrastructure to allow a MS or the Commission to have trust and confidence in electronic certificates issued at the national level to civil servants participating in IDA networks.
7
BGCA Project History
• 1999 : First PKI CUG’s established under the IDA Programme : issue of interoperability (recognition) of national digital certificates was raised by MS
• July 2002 : Bridge CA Feasibility Study issued as a result of TAC request
• July 2003 : “WP1” : Analysis of Bridge CA Requirements completed and reviewed
• July 2004 : Selection of ETSI TSL standard as technical solution for BGCA Pilot
• November 2004 : “WP1.2” deliverables available• December 2004 : BGCA Pilot Launch
8
Summary of Bridge CA Feasibility Study
http://europa.eu.int/idabc/en/document/3235#feasibility
• Need of strong political support (e.g. explicit commitment from the European Commission)
• Need of governing body with high level participation of MS in the body
• Architecture : Modified Bridge CA or BGCA (distribution of signed trust lists)
• Need of some form of harmonisation of certification policies
• Need of agreed minimum standards and operating procedures for CA’s
• Operation of the Bridge : suitable European agency or external contractor?
• Need for a pilot
9
Summary of WP1.2 deliverables
• Reference documents : http://europa.eu.int/idabc/en/document/3235/5585
• Trust list usage recommendations– Usage of Trust lists : solely for distribution purposes
(not for storage of trust)– 3 trust models will be explored (add, remove or accept
CA’s from trusted lists)– Standard : use of ETSI TS 102 231 with modified
profile– Applications to be used : SSL mutual authentication
and S/MIME• Network Architecture• Test Programme
10
BGCA Pilot• Part 1 : Implementation of Pilot
– Set-up of BGCA Infrastructure– Set-up of Test Infrastructure– Running of Pilot Tests– Report on test results – Final report on technical requirements for MS
administrations • Part 2 : Recommendations for operational Bridge/Gateway
CA– Practices Statement for operational BGCA– Participation documents (including procedures) for
operational BGCA– Recommendations for extension of Pilot to Industry
11
Part 1: BGCA Pilot phase : status
• 9 participating countries – Belgium– Italy– Germany– Finland– Czech Republic– Estonia– Slovakia– Slovenia– Iceland
12
MSMS
MSMS
MSMS
MSMS
European Bridge/
Gateway CA
CA CA CA
CA CA CA CA
CA
Participating Member States
end-user
end-user
Bridge Practices Statements (CPS + signature policy)
in issuing TSL to Participating
Member States CAs
PKI Disclosure Statement
including “Trust Validation Info”
in each Certificate Policies for
each Participating CA
signed message Validation of
signed message ?
Trust Equivalence Matrix
between Certificates types
accross Participating CAs
Signature Validation Guidelines
in assessing trust in end-user
signature
v
MOU agreement
Part 2 : Recommendations for operational Bridge/Gateway CA
13
European IDA Bridge/Gateway CA Certificate Practice Statement
Participating Member State Administration MOU
ETSI TS 101 456ETSI TS 102 042IETF RFC 2527IETF RFC 3647
Scheme Policy
Recommendations for future extensions of the European IDA Bridge/Gateway CA
Recommendations on Signature Creation and Verification for end-users
EBGCA-DEL-018 - Trust Matrix
ETSI TS 101 456 IETF RFC 3647
Participating Member CA PKI Disclosure Statements, Certificate Policies and Certificate Practice Statements
Participating Member State Administration Participation Form
Schematically
14
EBGCA stakeholders• EBGCA Authority Level
– BGCA Governing Board or Body : with representatives of all concerned parties
• E.g. European Commission or agency• MS representatives, responsible for the national PKI’s
– BGCA Policy Authority : implementation of the BGCA Policy scheme (including CP’s mapping)
– BGCA Evaluators : independent agents that will determine trust level of requesting CA’s
– BGAC Operational Authority : coordination of operation of the BGCA (CA and RA services, TSL services, tesbed services)
• European MS Administration level– MS administration– MS evaluator (e.g. existing national supervision of
accreditation body)– MS CA service provider
• European MS Administration end-user level
15
European IDA Gateway/Bridge Authority Level
European Bridge/Gateway Policy Authority
European Bridge/Gateway Operational Authority
European Member States Administration Level
European Member State Administration Relying Party
European Bridge/Gateway Technical assessors
European IDA Gateway/Bridge Governing Board
European Member State Administration Certificate Holder
European Member State Administration end users level
European Member State Administrations
European Administration Member State CA
European Bridge/Gateway Evaluator
MOU Scheme Policy
PKI PDS – CP – CPS
European Bridge/Gateway CA Service Provider
European Bridge/Gateway test bed service provider
European Bridge/Gateway TSL Service Provider
European Member State CA Evaluator
16
Content of the Practise Statements
• Based on RFC 3647– Main drivers : further facilitate the comparison between different CPs and
CPSs (to ease the comparison of the trust levels provided by the CA’s of the different MS Administrations important that CPS of the BGCA itself is very clear).
• Content : – Publication and repository responsibilities– Identification and authentication (naming ID validation, …)– Certificate life-cycle operational requirements
• Submission and enrolment• Certificate application processing• Certificate/TSL issuance• Certificate/TSL acceptance• Certificate usage/renewal/re-key/modification/revocation/suspension• Certificate status services
– Facility, management and operational controls– Technical Security vcontrols– Certificate profile, CRL, OCSP– Compliance Audit– Business and Legal matters (Fees, financial responsibility, IPR, warranties,
liability, …)
17
Content of Trust Matrix
• Objective : guideline to determine the equivalence between CP’s
• Scope: – Definition of seven categories of CP’s– PDS requirements and layout
• CA contact information• Certificate type, usage• Obligation of users/relying parties
– PDS statements profiling towards TSL level
18
Remaining Issues
• Technical issues : – Central validation services in the model?– Central Time-stamping solution ?
• Legal Issues : – liability of the BGCA?– Applicable law for the MoU
• Policy issues :– Form of the Governing Body : European
Institution?– Language of documentation– Validity and signature of the MoU’s
19
Conclusions
• Bridge/Gateway CA Pilot results expected in 3Q2005– Results of technical implementation and tests– Recommendations for an operational
European Bridge/Gateway CA• Pending or future actions for an operational
European Bridge/Gateway CA– Interpretation of Pilot Results– Agreement on BGCA Governing Body, MoU
format and concept of PDS and Trust Matrix– Definition of ownership of BGCA and
deployment
20
THANK YOU !
Web: http://www.europa.eu.int/idabc
E-mail: [email protected]
Address: IDABC SecretariatDG Enterprise/I.5 - SC15 2/50European CommissionB-1049 Brussels, Belgium
More Information :