electronic identification and trust services
DESCRIPTION
Preliminary results of the security mechanisms implemented by Trust Service Providers in Europe.TRANSCRIPT
![Page 1: Electronic identification and trust services](https://reader035.vdocuments.net/reader035/viewer/2022081413/54650824af795940518b66f1/html5/thumbnails/1.jpg)
The gray area is an image container. In the diapositive mask select this gray box and choose ‘Fill’ under the ‘Format’ Tab. Choose Fill with image, select your picture and
delete this text box.
www.enisa.europa.eu
ENISA
E-Identification & trust services for electronic transactions Security
Prof. Manel MedinaAndreas Sfakianakis
![Page 2: Electronic identification and trust services](https://reader035.vdocuments.net/reader035/viewer/2022081413/54650824af795940518b66f1/html5/thumbnails/2.jpg)
www.enisa.europa.eu 2
Content
• eID and Trust service providers regulation in Europe
• Trust Services in the new EU Regulation• Preliminary results of ENISA’s survey on TSP
security and interoperability requirements• Standards implemented by the TSPs in EU
![Page 3: Electronic identification and trust services](https://reader035.vdocuments.net/reader035/viewer/2022081413/54650824af795940518b66f1/html5/thumbnails/3.jpg)
www.enisa.europa.eu 3
eID and Trust service providers regulation in Europe
![Page 4: Electronic identification and trust services](https://reader035.vdocuments.net/reader035/viewer/2022081413/54650824af795940518b66f1/html5/thumbnails/4.jpg)
www.enisa.europa.eu 4
Digital Identity
![Page 5: Electronic identification and trust services](https://reader035.vdocuments.net/reader035/viewer/2022081413/54650824af795940518b66f1/html5/thumbnails/5.jpg)
www.enisa.europa.eu 5
eIDAS: the EU approach
![Page 6: Electronic identification and trust services](https://reader035.vdocuments.net/reader035/viewer/2022081413/54650824af795940518b66f1/html5/thumbnails/6.jpg)
www.enisa.europa.eu 6
Regulation on eID and TS
• Building trust in the online environment is key to economic development
• No comprehensive EU cross-border and cross-sector framework for secure electronic transactions that encompasses electronic trust services
• Enhance existing legislation
![Page 7: Electronic identification and trust services](https://reader035.vdocuments.net/reader035/viewer/2022081413/54650824af795940518b66f1/html5/thumbnails/7.jpg)
www.enisa.europa.eu 7
Scope
• Mutual recognition and acceptance of electronic identification
• Electronic trust services:• Electronic signatures • Electronic seals• Website authentication• Electronic time stamp• Electronic delivery service• Electronic documents• Long time preservation
![Page 8: Electronic identification and trust services](https://reader035.vdocuments.net/reader035/viewer/2022081413/54650824af795940518b66f1/html5/thumbnails/8.jpg)
www.enisa.europa.eu 8
Mutual recognition and acceptance of electronic identification
• How does it work? 'notified' eID(s)
• EU Member States obligations: – ‘notify’ the ‘national’ electronic identification scheme(s)
used at home for access to its public services. – Must recognise ‘notified’ eIDs of other MSs – Free private & abroad, liability Unambiguous
• Common principles– Tech. neutral, – Mutual recognition of qualified, – Data protection & data minimisation– Secondary legislation to ensure flexibility: Tech, Best pr.
![Page 9: Electronic identification and trust services](https://reader035.vdocuments.net/reader035/viewer/2022081413/54650824af795940518b66f1/html5/thumbnails/9.jpg)
www.enisa.europa.eu 9
More on the Regulation on eID an TS
• What is not covered?– Not eID or EU eID
• Why will it make a difference?– One single legislation across EU: NO need of Nat. Reg.– Supervision– Trusted lists vs. notified ID– Easy eSignature: “Soft ID”?– Clear market needs in terms of trust services
• https://ripe66.ripe.net/presentations/291-eIDAS_May2013.ppt
![Page 10: Electronic identification and trust services](https://reader035.vdocuments.net/reader035/viewer/2022081413/54650824af795940518b66f1/html5/thumbnails/10.jpg)
www.enisa.europa.eu 10
ENISA’sSurvey on Trust Services in the EU
![Page 11: Electronic identification and trust services](https://reader035.vdocuments.net/reader035/viewer/2022081413/54650824af795940518b66f1/html5/thumbnails/11.jpg)
www.enisa.europa.eu 11
ENISA’s work on Trust Services in the EU
•Risk assessment, security requirements and incident management for trust service providers issuing electronic certificates. (ENISA Work Programme 2013)
•Explore security mechanisms used by EU TSPs and identify their interoperability issues. (ENISA Work Programme 2013)
![Page 12: Electronic identification and trust services](https://reader035.vdocuments.net/reader035/viewer/2022081413/54650824af795940518b66f1/html5/thumbnails/12.jpg)
www.enisa.europa.eu 12
ENISA’s survey on Trust Services in the EU
• Launched anonymous survey intended for TSPs
• Survey is still online!!https://www.enisa.europa.eu/trust-services-in-eu
• The final results of the survey will be presented at a workshop for trust service providershttps://www.enisa.europa.eu/activities/identity-and-trust/trust-services/eid-workshop
![Page 13: Electronic identification and trust services](https://reader035.vdocuments.net/reader035/viewer/2022081413/54650824af795940518b66f1/html5/thumbnails/13.jpg)
www.enisa.europa.eu 13
General Security Audit (I)Kind of Audits
![Page 14: Electronic identification and trust services](https://reader035.vdocuments.net/reader035/viewer/2022081413/54650824af795940518b66f1/html5/thumbnails/14.jpg)
www.enisa.europa.eu 14
General Security Audit (II)Periodicity
<=12 months > 12 months0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Periodicity of audits
15% indicated less than 12 months
![Page 15: Electronic identification and trust services](https://reader035.vdocuments.net/reader035/viewer/2022081413/54650824af795940518b66f1/html5/thumbnails/15.jpg)
www.enisa.europa.eu 15
General Security Audit (III)Applied Standards
0%
20%
40%
60%
80%
100%
Which general security management standards do you follow?
ETSI TS 102042ETSI TS 101456WebTrustetc.
![Page 16: Electronic identification and trust services](https://reader035.vdocuments.net/reader035/viewer/2022081413/54650824af795940518b66f1/html5/thumbnails/16.jpg)
www.enisa.europa.eu 16
General Security Audit (&IV) Audit Supporting documents
Certifi
catio
n Pr
actic
e St
atem
ent
Info
rmat
ion
Secu
rity Po
licy
Job
desc
riptio
ns fo
r Tru
sted
Roles
Inve
ntor
y of
Ass
ets
Busines
s Risk
Ass
essm
ent
Bussin
ess C
ontin
uity
Plan
Incid
ent R
espo
nse
Plan
CA Ter
minat
ion
Plan
0%10%20%30%40%50%60%70%80%90%
100%
94% of participants issue certificates
94% of the TSPs (or intend to) provide e-certificates, 78% other trust services and 22% only electronic certificates.
![Page 17: Electronic identification and trust services](https://reader035.vdocuments.net/reader035/viewer/2022081413/54650824af795940518b66f1/html5/thumbnails/17.jpg)
www.enisa.europa.eu 17
Other TSs Provided (mostly by CSPs)
0%
20%
40%
60%
80%
100%
What kind of services do the TSPs provide?
![Page 18: Electronic identification and trust services](https://reader035.vdocuments.net/reader035/viewer/2022081413/54650824af795940518b66f1/html5/thumbnails/18.jpg)
www.enisa.europa.eu 18
Supported standards (I): e-signature
![Page 19: Electronic identification and trust services](https://reader035.vdocuments.net/reader035/viewer/2022081413/54650824af795940518b66f1/html5/thumbnails/19.jpg)
www.enisa.europa.eu 19
Supported standards (II): Time Stamping
RFC 3161 Time Stamp Pro-tocol
DSS XML TimeStamping Profile0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
What TimeStamping format standards are supported?
![Page 20: Electronic identification and trust services](https://reader035.vdocuments.net/reader035/viewer/2022081413/54650824af795940518b66f1/html5/thumbnails/20.jpg)
www.enisa.europa.eu 20
Supported standards (III): Certificate Validation
OCSP CRL SCVP0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
What certificate validation standards are supported?
![Page 21: Electronic identification and trust services](https://reader035.vdocuments.net/reader035/viewer/2022081413/54650824af795940518b66f1/html5/thumbnails/21.jpg)
www.enisa.europa.eu 21
Supported standards (&IV): Long Time Preservation
0%
20%
40%
60%
80%
100%
What standards are used to provide long-time preservation of e-Signatures?
![Page 22: Electronic identification and trust services](https://reader035.vdocuments.net/reader035/viewer/2022081413/54650824af795940518b66f1/html5/thumbnails/22.jpg)
www.enisa.europa.eu 22
Risk / Impact perception (I):Time Stamping
40 50 60 70 80 90 1000
10
20
30
40
50
60
70
80
90
100
Security Risks for TimeStamping Services
Compromise of the TSA’s signature creation data (private key)
Lose of evidence in chain of trust in the preservation of Tokens
Compromise of the main time source
Lose of accuracy of the main time source
Unavailability of the main time source
Probability
Impact
![Page 23: Electronic identification and trust services](https://reader035.vdocuments.net/reader035/viewer/2022081413/54650824af795940518b66f1/html5/thumbnails/23.jpg)
www.enisa.europa.eu 23
Risk / Impact perception (II):Electronic Documents
![Page 24: Electronic identification and trust services](https://reader035.vdocuments.net/reader035/viewer/2022081413/54650824af795940518b66f1/html5/thumbnails/24.jpg)
www.enisa.europa.eu 24
Risk / Impact perception (III):Electronic Delivery
![Page 25: Electronic identification and trust services](https://reader035.vdocuments.net/reader035/viewer/2022081413/54650824af795940518b66f1/html5/thumbnails/25.jpg)
www.enisa.europa.eu 25
Risk / Impact perception (IV):Certificate Validation
65 70 75 80 85 90 95 1000
10
20
30
40
50
60
70
80
90
100
Security Risks for Validation Services
Unavailability of the service
Web site / web service imperson-ation
Probability
Impact
![Page 26: Electronic identification and trust services](https://reader035.vdocuments.net/reader035/viewer/2022081413/54650824af795940518b66f1/html5/thumbnails/26.jpg)
www.enisa.europa.eu 26
Risk / Impact perception (&V):Long Time Preservation
![Page 27: Electronic identification and trust services](https://reader035.vdocuments.net/reader035/viewer/2022081413/54650824af795940518b66f1/html5/thumbnails/27.jpg)
www.enisa.europa.eu 27
For further information and feedback• [email protected] • [email protected]
• https://www.enisa.europa.eu/activities/identity-and-trust/trust-services/trust-services-in-eu
• https://www.enisa.europa.eu/activities/identity-and-trust/trust-services/eid-workshop