pki services for the public sector of the eu member states dr. dimitrios lekkas dept. of products...
Post on 15-Jan-2016
216 views
TRANSCRIPT
PKI Services PKI Services for the Public Sector for the Public Sector
of the EU Member Statesof the EU Member States
Dr. Dimitrios LekkasDr. Dimitrios Lekkas
Dept. of Products & Systems Design Engineering
University of the [email protected]
Rhodes, 9/6/2003
2
University of the Aegean
Objectives of the study
To review the use of electronic signatures for e-government services.
To identify the technologies employed for the exploitation of e-signatures.
To discuss legal issues referring to the use of e-signatures.
To discuss digital certificates management in the public sector.
To provide a set of good-practices on the use of e-signatures in the public sector.
3
University of the Aegean eeEurope-2005Europe-2005
The underlying strategic framework
Based on two groups of actionsgroups of actions: Services - Applications - Content Broadband Infrastructure - Security
Action Plan around inter-linked linesinter-linked lines: Policy Measures Good Practices Benchmarking Policies Coordination
4
University of the Aegean
eGovernment ServicesGeneral key actions:General key actions: Broadband Connection Interoperability Interactive Public Services Public Procurement Public Internet Access Points Culture and Tourism
Key actions for securityKey actions for security: Cyber Security Task Force Security Culture Secure Communication between Public Services
5
University of the Aegean
Our methodology at a glance
1. State-of-practiceReview of state-of-practice on e-signatures use.
2. Legal issuesReview of legal and regulatory issues on e-signatures use.
3. StandardsReview the standardization work on e-signatures.
4. Case studies Study lessons learnt from relevant situations.
5. SurveyIdentify and review relevant experiences from EU
…towards Good Practices
6
University of the Aegean 1. State-of-practice on
Certification Services
Topics:
Qualified Certificates (QC)
Requirements for issuing QC
Additional requirements for Public Sector
7
University of the Aegean
Qualified Certificates
Unique identification of CSP Unique identification of the physical entity Intended purpose Signature verification data corresponding to subject Period of validity Identity code of the certificate Electronic signature of the CSP Usage limitations Case-relevant extensions
8
University of the Aegean
Requirements for issuing QS
Demonstrate the appropriate reliability Ensure appropriate directory/revocation services Verify physical entity’s identity Employ properly qualified personnel Use trustworthy systems Protect signature creation data Keep records relevant to qualified certificates Publish policies, practices, terms, and conditions Maintain sufficient operation financial resources Ensure physical security
9
University of the Aegean Additional
requirements for the Public Sector
Risk Analysis/Assessment
ISO 9000 certification
Personal data protection
Insurance
Repositories for storing signature verification data for long time
10
University of the Aegean
3. Standardization work
European initiatives and bodies:– ETSI: Europe's contribution to world-wide standardization – CEN/ISSS: Information Society Standardization System – ICTB/EESSI: European Electronic Signature
Standardisation Initiative
International initiatives and bodies:– ISO & ITU: World-wide de jure standards– IETF: Widely accepted de facto Internet standards– W3C: Recommendations for structuring web documents– PKCS: Public Key Cryptography Standards– ANSI: The American perspective
11
University of the Aegean
Existing and emerging standards
CryptographyCryptographic algorithms, Hash functions, Random number generators
Secure HardwareSmart cards, Tokens, Secure devices
Digital CertificatesFormats, Distribution, Certificate Status Information (CSI)
Certification ServicesDigital signatures, Key management, Authorization, Time-stamping, Notary
General supportICT Security, Directory access, Database management, Repositories, Interoperability
ManagementIS management, Quality, Policy composition, Audit
12
University of the Aegean
4. PKI in third countries
Canada– A ‘Policy Management Authority’ exists
– ‘External subscribers’ are allowed
– Key management resembles with the EU Directive
USA– Federal PKI is fully functional
– Federal Bridge CA assures interoperability
– Various ‘assurance levels’ for certificates
Australia– ‘Government Public Key Authority’ exists as accreditation body
– Various levels of certificates for individuals and non-individuals
13
University of the Aegean
5. Survey
Means: Questionnaire on:
(a) Existing e-services
(b) Legal status of certificates
(c) Use of certificates in the public sector
(d) Requirements from CSP
(e) Use of certificates for G2G and G2C transactions
- Sent to the 15 Member States via CIRCA
- All recipients responded
- Results taken into account and refer to in the deliverable
14
University of the Aegean
Survey findings
All Member States have adopted Directive 1999/93/EC.
In 14 Member States there is at least 1 CSP offering qualified certificates (except Ireland).
In 13 Member States there is one authority responsible for the accreditation of CSP (except France and Ireland).
In 13 Member States there is one authority responsible for regulating, monitoring and auditing the operation of CSP (except Ireland and UK).
In 9 Member States the two aforementioned procedures are performed by the same entity/authority.
In 5 Member States certificates of types other rather than qualified/unqualified are used.
15
University of the Aegean
In 11 Member States CSP accreditation is voluntary for qualified certificates.
In 7 Member States certificates have been employed in G2G transactions (3 have plans for 2003 and 3 after 2003).
In all Member States the Public Sector obtains services from multiple CSP.
In 14 Member States there is no nation-wide RA, which registers civil servants (except of Belgium).
In 11 Member States each governmental organization may have or operate its own RA.
In 2 Member States (Finland and France) each sector or administration level has its own RA.
…survey findings
16
University of the Aegean
8 Member States have in place specific provisions, in case a CSP ceases operation.
11 Member States have in place specific provisions, in case a CSP uses its key in a way incompatible with the existing legislation
10Appropriate skills of CSP staff
11Compliance with personal data regulations
4ISO 9000 certification
10Security of CSP equipment used for key generation
11Security of CSP premises
10Risk Analysis/Assessment
Member States
Special requirements a CSP should fulfill
…survey findings
17
University of the Aegean
6All CSP should first apply for voluntary accreditation
5Compatibility of the CPS
4Interoperability of technology
Member States
Interoperability requirements when more than one CSP is involved
4Non-repudiation of receipt
4Notary
8Timestamping
Member States
Value Added Services the Public Sector receives from CSP
…survey findings
18
University of the Aegean
In 6 Member States there exists (or is planned) a central repository, which provides each and every civil servant with a certificate.
In 5 Member States the role of the civil servant is associated with the certificate issuance.
In 4 of the above 5, when a civil servant is transferred to another post, its certificate is revoked or renewed.
In 10 Member States smart cards are used to keep signature-creation-data (e.g. a private key).
In 10 Member States audit records (logs) are kept.
In 9 of the above 10 CSP are responsible for keeping the audit logs.
…survey findings
19
University of the Aegean
Good-practices
Working assumptions:– G2G and G2C transactions are included.– C2G transactions are not included.– Subject to additional sector-related requirements– Focus on authentication, non-repudiation, and
integrity.– Compliance with EU Directive 99/93.
20
University of the Aegean
EU Directive 99/93: Article 3
Outline:– CSP operation
– Accreditation and supervision
– Certificate characteristics
– Signature Creation Devices
– Architectural issues
– Information dissemination
– Value-added Certification Services
– Certification Practice Statement (CPS)
– CSP cease of operation
21
University of the Aegean
CSP Operation
CSP operator– The government is generally considered as the owner
of its Public Key Infrastructure.– The operator may be a governmental authority, or the
operation may be outsourced to the private sector. CSP’s cease of operation
– Handling differs in Member States– Subject to prior interoperability established, certificates
will be managed by another CSP, or– All issued certificates are revoked, or– Purely governmental-operated CSP (they never
cease...)
22
University of the Aegean
Accreditation and Supervision Voluntary Accreditation
– Some Member States ask for compulsory accreditation – Generally desired for qualified certificates issuance– Accreditation is not a requirement for the issuance of
unqualified certificates Supervision
– Establishment of national supervisory bodies in most Member States
– Supervision, in most cases, is performed by Telecom Authorities
– Diversification of supervision and accreditation roles is desired
23
University of the Aegean
Requirements for certificates
Certificate characteristics– Role-based certificates tend to have heavy administrative cost.– Both qualified and unqualified are needed, each for specific user
domain.– An identity certificate is needed for every civil servant. The
certificates can be either identity-based, only, or role-based. – Average certificate lifecycle: 1-3 years.
Public sector specific requirements– Signature lifetime is reported to be 30 years.– The signature lifetime should be (considerably) longer.– It is suggested that different keys are used for different functions
(e.g. signature, authentication, encryption).
24
University of the Aegean
Signature creation issues
Key management– Key generation should be performed under the full
control of the end-user (for non-repudiation purposes)
– No key-recovery must be possible
Signature Creation Devices– Common agreement on the adoption of secure
hardware tokens (e.g. smart cards)– Conformance with international standards is
recommended.
25
University of the Aegean
Architectural issues
Number of Certification Authorities– Support for multiple CA in each country should be ensured– Web of trust scalability is recommended
Trust architectures– Mixed schemes may exist– Combination of per-sector local hierarchies, local RA, Bridge CA
and Cross-certified CA should be ensured Registration Authorities
– Civil servants should be given a security token, according to a standard procedure
– Multiple RA per region or user domain should exist– If a central identity repository exists, then national-wide RA
should also exist
26
University of the Aegean
Information dissemination
Key distribution– By personal correspondence (private) and by
publicly accessible repositories (public)
Specific provision for the self-signed CA certificates distribution– The maintenance of the Certification Trust Lists
(CTL) should be done on a per-sector basis
27
University of the Aegean
Value-added Certification Services
Time-stamping
Confidentiality
Notary
Audit services
Non-repudiation of receipt
Long-lasting data repositories
28
University of the Aegean
Certification Practice Statement
Conformance with IETF RFC-2527 is recommended. It should include, at least:
– CA and RA obligations– Subscriber and relying party obligations– Addressing community– Certificate classes, formats, and profiles– Procedures description– Liabilities– Value-added services description– Interoperability issues– Information dissemination procedures
29
University of the Aegean
CSP should comply with data protection legislation
– Dissemination of personal PKI information– Regulation of lawful access to personal data available
to CSP– Data security measures specification
Data protection authorities should support public authorities to monitor the CSP privacy policies
EU Directive 99/93: Article 8
30
University of the Aegean
Conclusion
The result of our study is…
an appropriately balanced good-practice guidance
for the exploitation of Public Key Infrastructure
by the Public Sector