february 9th 2012 - etsi...••• 11 revision of esignature directive + eid mutual recognition...

ETSI-ESI Workshop on Electronic Signatures

Washington D.C. - February 9th 2012

ETSI ESI Chairperson, Prof. Riccardo Genghini

.

© ETSI 2012. All rights reserved

Why this workshop ?

.


WHY THIS WORKSHOP ?

• US and EU PKI implementation follows parallel approaches, with mutual interest on interoperability

• Since 2007 Adobe has pursuit the strategy to “open” the PDF format (ISO 32000)

• Since 2008 Adobe actively contributes to the creation and maintenance of EU standards, with very valuable inputs

• EU legislation (and Member states legislation) has adopted ISO 32000 as the preferred e-document format

Why this workshop ?

.


OPPORTUNITIES

• The widespread adoption in Europe of PDF-A as the digital document format for Government and Enterprises…

• The use of CAdEs, XAdEs and PAdEs… • The implementation of a comprehensive TSL • The implementation of interoperability

environments (like LSPs and ETSI-Plugtests)… is reshaping the world of digital documentation

and of e-Government, creating new powerful cross-border best practices

Why this workshop ?

.


AIMS OF THIS WORKSOP

• Sharing information and experiences • Networking • Finding possible environments/projects on

which co-operate or exchange information in the future

Why this workshop ?

.


WORKING AGENDA

• EU Experts Presentations in the morning, followed by panel discussion open to questions from the floor (very welcome!) moderated by Riccardo Genghini - ETSI-ESI

• US Experts Presentations in the afternoon, followed by panel discussion open to questions from the floor (very welcome!) moderated by Leonard Rosenthol - Adobe

••• 6

Pan European framework for electronic identification,

authentication and signature

[email protected]

European Commission DG Information Society & Media

ETSI-ESI Workshop on Electronic Signatures

Washington D.C. - February 9th 2012

••• 7 ••• 7

Current eSignature / eID status in EU

1. Directive 1999/93/EC legal framework 2. CEN and ETSI e-signature standards 3. Member States + industry investments 4. In Services Directive context:

• “Trusted list” of qualified certificates providers

• “Points of Single Contact” must handle ETSI signature formats

5. No EU legislation on eID

••• 8

What is changing the landscape?

– New drivers for eSignatures and ancillary services: – Public e-procurement – Services Directive – Business processes automation – eID cards infrastructure

New landscape!

••• 9 ••• 9

Challenge for EU policy

• Objective: • to strengthen Single Market by boosting

convenience and trust online • Requires secure and

seamless cross-border e-interactions: • between administrations,

businesses and citizens • Offering legal certainty • Easy to use by non specialists • Low cost • Working across EU and international borders

A

B

C

1. Completing the internal market for e-commerce EU Parliament Resolution 21.9.10, P7_TA(2010)0320 - IMCO

48. Stresses the importance of e-signatures and of PKI for pan-European secure e-government services, and calls on Commission to set up a European Validation Authorities Gateway to ensure cross-border interoperability for e-signatures

2. Internet governance: the next steps EU Parliament Resolution 15.6.10, P7_TA(2010)0208 - ITRE

24. Stresses the importance of the security of electronic services, especially of e-signatures, and of the need for the creation of the PKI at Pan-European level, and calls on Commission to set up a European Validation Authorities Gateway in order to ensure the cross-border interoperability of e-signatures and to increase the security of transactions carried out using the internet

••• 10 ••• 10

EP resolutions related to e-signature

••• 11 ••• 11

Revision of eSignature Directive + eID mutual recognition

EC’s reiterated political commitment: 1. Digital Agenda for Europe 19.5.2010, COM(2010)245

2. European eGov Action Plan 2011-15 15.12.10, COM(2010)743

3. Single Market Act 13.4.11, COM(2011)206

4. A roadmap to stability and growth 12.10.11, COM(2011)669

• TOP PRIORITY TO SUPPORT EU GROWTH!!!

• European Council conclusions 23.10.11

5. Commission Work Programme 2012 15.11.11, COM(2011)777

• Pan European framework for electronic identification, authentication and signature. 2Q2012

••• 12

• Objective: – To gather stakeholders’ views on the

existing situation and potential solutions – Closed on 15.4.2011

• Overall picture: – 434 contributions – Diverging views on the causes of low

eSignature take-up – Diverging opinions on how to address

issues

• Results on eSignature website on europa

1st step: public consultation on eID, authentication & signature

••• 13 ••• 13

Pan EU framework for electronic identification, authentication and

signature

• Coverage (to be confirmed):

– Mutual recognition and acceptance of e-identification across borders

– eSignature interoperability and usability – Cross-border dimension of related ancillary

trusted services and credentials: • time stamping, • signature long term validation, • e-seals, • registered documents e-delivery, • e-documents, • website authentication.

••• 14

Building of Trust Electronic identification, authentication & signatures

Common principles

1. eID / eAuthentication:

2. eSignatures

3. Ancillary trusted services: • eSeals • Time stamps • eSig long term valdation • Certified eDelivery • eDocuments (copie conforme) • Website authentication

Specific Requirements

• Trust & Confidence • Convenience • Consent • Data protection • Transparency • Technological neutrality • Security • Credential issuance reliability (supervision, …) • Internal market

Trust enablers

• Legal effect • Mutual

recognition / acceptance

• Liability • Reference to

standards

Pan European framework for electronic identification, authentication and signature

• Natural & legal persons

••• 15

Three-pronged approach Systematically for most trusted services, credentials and products:

Security insurance

level

Techno neutrali

ty

1 Technology neutral definition –Non discrimination « electronic vs. paper»

N/A 99%

2 “Qualified level” (Q-level)

– Defined by target security requirements – «Rewarded» by higher legal effect – Does not specify means to achieve them

Medium High

3

«Presumption» of compliance to Q-level (i.e. legal certainty of legal effect) (via secondary legislation):

– Q-level specified by standard(s) – Q-level assessment done by verifying

compliance to conformity assessment standard(s)

– Q-level compliance certified (self, 3rd party or state supervision)

Very high N/A

••• 16

• Member States: – To notify to Commission the ‘national’ eID(s) used at

home for access to public online services; – To recognise and accept ‘notified’ eIDs of other

Member States for access to cross-border public online services;

– To provide the possibility to check and verify received eIDs (authentication);

– Responsibility of Member States for unambiguous identification and their authentication

– To allow the private sector to use ‘notified’ eID

Mutual recognition and acceptance of e-identification and authentication

across borders

••• 17 ••• 17

Next Steps:

1. Member States, European Parliament and other stakeholders consultations

2. Impact assessment of policy options

3. Legislative proposal 2Q2012 4. Implementing acts

+ • Standards rationalisation

Consultation Proposal

Standards

Indicative conceptual process

2011 2012 2013 2014 2015 2016

Legislative process

Implementing acts Commission Decisions

Standardisation mandate m460

Legislation

NB. Dates are indicative

••• 19

• eSignature website: ec.europa.eu/information_society/policy/esignature

including results of online public consultation

• Mailbox: [email protected]

For further information

Why this workshop ?

.


CONCLUSIONS

• EU has comprehensive legislation and standards for PKI deployment

• EU is oriented towards opening its service market to the worldwide competition

• EU Member States are fully committed to digitalization: technical cornerstones are • ISO 32000 • SSCD (HW security) • PAdEs CAdEs, XAdEs • TSL • digital identities