the europeanid interoperability concepts and compliance conference «cross-border service provision...
TRANSCRIPT
The EuropeanID Interoperability Concepts and Compliance Conference
«Cross-border service provision supporting national eIDs»
27-29/03/2012
Biel, Switzerland The authenticity in electronic
interaction “Without Borders".
Problems and solutions.
As it works.
Undoubtedly, when some technological project with future prospects of international interaction is developed by any country, it would be reasonable to work out unified standards of cross-border interaction and only after that create a local system.
However, the experience shows that, as a rule, everything happens the wrong way round:
the local systems are created at first and then the attempts to make these systems compatible with other similar local systems are taken.
Classical examples of such situation are: - Left- and right-hand traffic; - Railroad gauge width 1520mm (Russia), 1435mm (Europe), 1668mm (Portugal and
Spain);- 220 and 110 volt at residential electricity network;- PAL, SECAM and NTFS colour television display systems;And so on…
A problem of PKI and authenticity in electronic interaction is also not an exception in historical regularity of differences and discrepancies origin.
Suffice it to apply to surface comparison of conditions for recognition of foreign certificates and eSignatures, defined by different local legislations. And this happens while there are international standards and recommendations that should be taken into consideration when developing local legislative acts.
Special attention should be paid to considerable differences even inside groups of jurisdictions (EU, CIS, EurAsEU, SCO, CU) where there are their own coordinated and approved recommendations.
ECE/TRADE/C/CEFACT/2010/14Recommendation No. 37: Signed Digital
Evidence Interoperability Recommendation:
“The verification of signed digital evidence must, at least, give the verifier a clear view of:• The signatures’ parameters (date, place, type of commitment)• The integrity of the signed content• The integrity and validity of the signatories’ certificates• The trustworthiness of the certification service providers.”
Belarus
Article 30. Recognition of foreign electronic signature certificates
A foreign electronic signature public key certificate which complies with the legislative requirements of a foreign state where this certificate has been issued is recognized in the Republic of Belarus in accordance with the international agreements between the Republic of Belarus and foreign states on mutual recognition of foreign public key certificates or other means to provide foreign electronic documents legal significance.
A public key certificate issued by a certification service provider of a foreign state accredited in the State system for public keys management is recognized by the Republic of Belarus.
Uzbekistan
Article 19.
Use of electronic signature certificates issued by foreign states
Application of foreign electronic signature certificates is carried out in accordance with the regulatory frameworks of the Republic of Uzbekistan.
Ukraine
Article 17.
Recognition of foreign electronic certificates
Foreign certificates of keys, which are certified according to the legislation of those states where they were issued, are recognized and valid in Ukraine according to the procedure set by law.
Russia (2011)
Article 7. Recognition of electronic signatures created in accordance withforeign laws and international standards
An electronic signature created in accordance with foreign laws and international standards shall be recognized in Russia as an electronic signature of the kind, whose characteristics it corresponds with.
An electronic signature and an electronic document signed with this electronic signature can not be considered as legally invalid only on the ground that the electronic signature verification certificate is issued according to foreign laws.
Kazakhstan
Article 13. Recognition of foreign electronic signature
A foreign electronic digital signature registered in a foreign state is recognized as a legally valid electronic digital signature in the Republic of Kazakhstan in accordance with the international agreements between the Republic of Kazakhstan and other states or after its registration in the State Register of Registration certificates.
Estonia
Article 40.
Recognition of foreign certificates
Certificates issued by a foreign certification service provider shall be recognized as equivalent to certificates issued by certification service providers acting on the basis of this Act if at least one of the following conditions is met:
1) according to the decision of the chief processor of the register, the foreign certification service provider complies with the requirements provided for in this Act and legislation established on the basis thereof;
2) the certificates of the foreign certification provider are guaranteed by a certification service provider acting on the basis of this Act who assumes responsibility for the accuracy of the data contained in the certificates;
3) the certificates issued by the foreign certification service provider are recognized by an international agreement entered into by the Republic of Estonia.
Germany
Paragraph 15. Certificates Issued by Other Countries.
(1) Digital signatures capable of being verified by a public signature key
certified in another Member State of the European Union or in another State party to the Agreement on the European Economic Area shall be deemed equivalent to digital signatures under this Act insofar as they show the same level of security.
(2) Paragraph (1) above shall also apply to other states insofar as relevant supranational or intergovernmental agreements have been concluded.
For more detailed information on foreign electronic signatures recognition see the document:
http://www.e-swb.com/?o=docs&id=551&mod=full&mid=2 Special attention should be paid to considerable
differences even inside the same groups of jurisdictions (EU, CIS, EurAsEU, SCO, CU).
If we carry out even surface analysis of foreign electronic signatures recognition by different jurisdictions, we can single out the following main conditions:
1. Accreditation of the foreign Certification Authority in a certain state (compulsory or voluntary).
2. Foreign CA or foreign certificate compliance with the certain state internal requirements (very often it’s not clear who determines the compliance).
3. Availability of correspondent international agreements or registration in a certain jurisdiction (for example, in EU).
4. Guarantee of a local CA for a foreign EDS validity.5. Unconditional recognition.
Presented conditions are used in different combinations with AND or OR.
Abstract conditions should be also noted – “in accordance with the current legislation”…
Basic problems of cross-border interoperability
An opportunity for cross-border use of eSignatures is strongly restrained by the following factors:
• Differences in terminology and definitions. Incompleteness of legislative base. • Local regulatory frameworks contain requirements which do not correspond with foreign
solutions. • A possibility of polysemantic interpretation of European regulatory frameworks, for example,
differences in definition of qualified certificates, especially concerning issuance of a qualified certificate to a legal person; supervision of CA (“proper!”), that means from a simple notification to detailed inspection and assessment procedures; a concept of Secure Signature Creation Device (SSCD).
• Lack of evident preference to qualified eSignatures in regulatory frameworks. At the same time, while the requirements to qualified eSignatures are determined (issued by certified CA; correspond to general requirements; in accordance with state bodies), the requirements to other types of electronic signatures are rather ambiguous, and therefore a problem of their compatibility worsens even on the national level, not speaking about the European level.
• It’s obvious that in respect of compatibility of electronic signatures not based on qualified certificates, it’s impossible to count on any progress because there has not been any basic criterion defined to determine the reliability of similar solutions. Barriers in the work on these solutions on the European or other cross-border levels make little opportunity for more or less acceptable compatibility between them.
• Requirements to Trusted Third Party (TTP) services (time stamping, long term archiving, identity management and authorizations) are insufficiently defined on EU level. These initiatives are taken at a strictly national level, and therefore there is a risk of disparities emerging on cross-border level.
• Prevalence of solutions which do not favour strong PKI based approaches.• Incompatible use of certificate attributes: there is no standardization on the attribute which• might be used by application to identify the role of the signer, and there is no standardization
on the values that such attributes may contain, including language barriers (for example, lawyer, advocaat, Rechtsanwalt).
• The majority of applications mentioned above can use Qualified Electronic Signatures issued by a limited list of CSPs trusted as providers of Qualified Signature.
• Use of different types of signature formats and algorithms (PKCS#7, XMLDSig, XAdES, CAdES, etc.) in these applications. For example, from January 1st 2010 Germany abandoned use of the SHA-1 hash algorithm. But this happened only in Germany, in other countries this algorithm is acceptable.
• Most of the surveyed applications rely on the validation mechanisms provided by the CSP they trust or on the validation mechanisms provided by their national framework.
• A juridical sphere also has some problems necessary to be solved.• For example, the definition of qualified certificates is interpreted in different ways
because it is not defined at the European level. For example, in Austria an electronic digital signature is a qualified signature, but in Poland and Lithuania an electronic digital signature is an advanced signature. Obviously, such difference in definition may create interoperability barriers at the European level. Many definitions and terms are unique for each certain country.
• 13 countries have specific E-government acts (in May 2011 Greece passed the law on Electronic Government). The precise scope and impact of these laws varies quite strongly. However, they are all trying to reach one goal: to grant the citizens and/or businesses the right to communicate electronically with public administrations (C2A and/or B2A) and the reverse possibility: the right of public administrations to use electronic signatures in their communications with businesses and citizens (A2B and A2C). At the same time, there are different rules of interaction: from those who doesn’t make any differences in EDS use (Estonia) to specific incentives for the use of electronic signatures in communication with the public sector (13 countries). An approach to encouragements to the use of electronic communications is also different. Only few of these acts are trying to solve problems of national interoperability even inside the European Union.
Analysis of available practices of EDS and SKC application
• A variety of eSignature applications in EEA begins with the carriers of electronic digital signature key certificates.
• By the available information:• To the beginning of March 2012 eID-cards were available in 11 countries (Belgium, Finland, Italy,
Liechtenstein, Lithuania, Portugal, Spain, Estonia, Croatia, Germany (from November 2010), Switzerland (from May 2010)), 7 countries are planning to implement eID-cards: Poland (from the beginning or mid of 2013), France (in 2010 adopted the draft social security bill which proposes the electronic ID-cards introduction, however, the introduction terms haven’t been defined yet), Greece (planned to implement eID-cards in 2011, the data on introduction is still not available), Latvia (is going to start issue eID-cards from April 1st 2012), Romania (2014), Malta (mid 2012), Slovakia (end of 2012). In 2010, after the new government has been formed, Great Britain joint the list of 11 states which are not planning to introduce eID-cards and in February 2011 announced that the national identity register was destroyed.
• ID-cards are issued by the state ( in 7 countries) or by authorized private structures (6 countries) and provide qualified electronic signature creation.
• Among the countries which are not EU member-states electronic ID-cards are issued in: Albania (from December 2009), Armenia (is planning to introduce eID-cards from the beginning – mid 2012), Georgia (from August 1st 2011), Azerbaijan (is planning to introduce ID-cards but introduction date have not been fixed yet), Ukraine (technically ready to implement eID-cards using EDAPS technologies, the deadline is not clear yet), Russia (has postponed the introduction of the universal electronic cards (UEC) till 2013).
• Specific smart cards (used by limited number of users or in specified spheres of application) (bank cards, social cards, health cards, civil servant cards). During the period from the end of 2010 to the beginning of 2012 following countries have joint the list of 9 countries issuing smart cards: Germany launched electronic doctor’s cards, electronic health cards, biometric cards for foreigners (2011), France implemented electronic cards for police officers (2011), Estonia introduced electronic residence cards for aliens residing in Estonia, who are not citizens of the European Union (2011). Poland is planning to start issuing electronic health cards (2013), Bulgaria started deploying smart cards to secure access to personal health records for the country's military personnel and their families (2010), Italy implemented smart cards for pregnant women (2010), Slovakia is planning to introduce electronic health cards in 2013.
• Crypto tokens are available in 22 countries, soft certificates – in 18. They are issued by private companies.
• Only in one country (Estonia) a digital stamp of organization is provided.
• Mobile signatures are available in 7 countries (Finland, Lithuania, Norway, Poland, Estonia). Austria presented mobile signatures in December 2009, two years later all tax offices in Austria provide the activation of the mobile phone signature, free of charge. Latvia introduced mobile signatures in 2010.
• Main eGovernment applications. The main spheres of eSignature applications while interacting with public bodies are: eProcurement, eHealth, eJustice, Taxation, Social services and eTrading.
• eProcurement. In addition to 15 actually operating applications, the following applications were launched in 2011-2012: Switzerland (2011) extended the practice of tender submission in electronic format to construction procurement, in France contracting authorities have been obliged to accept applications and bids transmitted by electronic means for all purchases worth at least €90 000 (since the beginning of 2012), Greece introduced electronic auctions in public procurement at the beginning of 2011. In the middle of 2011 Malta announced that tenders document purchase became exclusively online and in October 2011 introduced the first fully-electronic tenders. Denmark introduced the system of electronic public procurement for all public structures at the beginning of 2012. Finland started a transition to electronic procurement In 2011. Sweden is planning to introduce a complete eProcurement solution as from the autumn of 2012.
• Among these applications 6 solutions presently rely on qualified signatures, 2 require advanced signatures based on qualified certificates, 6 require advanced signatures and 1 requires a simple signature only.
• Among these applications only three ones (Ireland, Denmark and Slovakia) have no restrictions in place of credentials. In the Irish case, the application uses a simple online registration system that does not use any PKI components. In the Slovakian case, registration results in the recipient receiving an advanced signature certificate via e-mail. Denmark launched digital signature system NemID in the middle of 2010.
• Two countries (Austria and Norway) allow to use electronic signatures from a limited list of countries.
• In all other cases these applications can be applied only by residents of a state where they are registered.
• eHealth. During the period from the end of 2010 to the beginning of 2012 the system of online doctor’s appointments was introduces in: Germany, Berlin (end of 2011), Macedonia (January 2012), Czech Republic (January 2012); digital prescriptions (ePrescriptions) were implemented in the following countries: Poland (mid 2011 – a pilot project), Portugal (August 2011), Finland (2010), Norway (October 2011), Netherlands (January 2012), Croatia (2011); electronic health cards were introduced in Romania (2010 – a pilot project), Poland, Slovakia and Denmark are planning to implement electronic health cards in two years. Latvia launched eHealth services at the national eGovernment portal since September 2010. Great Britain launched prison IT healthcare system in April 2011. Bulgaria launched service of electronic births registration from the beginning of 2012. Italy presented eHealth section at the Health Ministry website in August 2011.
• Out of all operational applications seven relate to general eHealth platforms that could be used to securely exchange information in the eHealth sector and three applications relate to specific medical spheres. With regard to signature solutions there is some diversity to be found. The interoperability is almost unavailable in this sphere (in the middle of 2011 Germany and Poland started first cross-border cooperation on telemedicine project (Tele-ENT). In December 2011 the European Commission established eHealth cooperation network with the aim to ensure EU-wide interoperability of electronic health systems and wider use of eHealth). It should be also noted however that the actual need for interoperability is much smaller in this sphere because the application’s scope is delineated at the national level.
• eJustice. 7 applications are presently operational. However, there are some difficulties of establishing appropriate models for verifying the legal capacity of the actors (notaries, judges, lawyers, etc.). Looking at the scope of the applications, 5 applications relate to court proceedings and court administration (Ireland, Italy, Poland, Portugal, Estonia), 4 relate to the establishment and management of companies (Croatia, Estonia, Germany and Poland (from July 2011)) and 3 relate to notarial archiving services (Austria, Slovenia, Estonia).
• With regard to signature solutions, four solutions presently rely on qualified signatures (Austria, Estonia, Germany and Poland), one (Slovenia) requires advanced signatures based on qualified certificates, one (Portugal) requires advanced signatures and one (Ireland) uses simple signatures.
• With regard to interoperability, only few countries provide cross-border use of electronic signatures: Estonia (cross-border cooperation with a limited list of countries) and cross-border cooperation between Portugal and Spain (from the beginning of 2010). The European eJustice Portal was launched in July 2010 (https://e-justice.europa.eu).
SIGNATURE VALIDATION
• eSignature validation issues should be mentioned apart. If in 2007 the validation service was presented only in Spain and Estonia, then to the end of 2010 only 4 countries launched the validation service (Poland, Austria, Germany and Norway). From the beginning of 2012 Spanish eSignature platform @firma includes among the list of eSignature and eIdentity certificates that it validates those issued by the following countries: Austria, Belgium, Estonia and Portugal. In February 2011 Poland and Norway signed the cross-border agreement on eSignature with the aim to check and validate eSignatures based on electronic identities (eIDs) from more than 300 providers in Europe.
• Several projects on eSignature cross-border validation are being implemented by the European Commission: STORK (Secure Identity Across Borders Linked), PEPPOL (Pan-European Public Procurement Online), SPOCS (Simple Procedures Online for Cross-border Services). In 2011 the projects implementation reached several successful results: in March 2011, first electronic invoice was sent, received, approved and paid and first two electronic Virtual Company Dossiers were created and delivered via PEPPOL solutions; in April 2011 Norway connected to the PEPPOL infrastructure; in March 2011 Greece became the first EU Member State to use Open e-PRIOR (an open source eProcurement platform connected to PEPPOL); in May 2011 Great Britain sent two first electronic invoices to the European Commission using the PEPPOL infrastructure; in November 2011 Italy started to use PEPPOL solutions; in March 2012 a new version of Open e-PRIOR was introduced that includes a web portal for eInvoicing that allows SMEs and individuals to submit electronic invoices to their customers who have Open e-PRIOR installed. In October 2010 six STORK pilots launched to provide electronic identity interoperability across Europe and in January 2012 the new STORK 2.0 project was launched.
• Unfortunatelly, the geography of electronic signature possible validation is very narrow both for organizational and technical and technological reasons that were mentioned above.
• Besides, the problem is worsened by use of incompatible identifiers (for example, a registration number, VAT-number, etc.) as a part of an electronic signature and the role of the signer.
• Among surveyed applications of eGovernment, only 69 applications make use of eSignatures (for all types of eSignature certificates).
• Apparently, despite the considerable progress in this sphere, more effort is needed to increase use of PKI-technologies for efficient cross-border interoperability.
Taking into consideration all mentioned above, it becomes
evident that to the current moment practical use of EDS and electronic certificates for cross-border interaction in such conditions of technological and juridical chaos is
impossible!!!
And while officials are trying to come to an agreement, businesses suffer losses.
In the first turn, this concerns such areas as foreign economic activities and electronic trade, including the program of public procurement
PEPPOL (in Europe) and 94-FZ (in Russia).
Potential solutions
There are different ways to solve these problems.1. Standardization of all available PKI-systems and
corresponding regulatory frameworks.However, these systems have been already created! What has to
be done in this case? Those who doesn’t comply with the new uniform rules will have to renounce all the achievements?
Analogy: How successful are the attempts to come to agreement on
replacement of all residential electricity networks in Europe by 110 volt, or in America and Japan – by 220 volt. Or replacement of all electricity networks by 185 volt?
But there is another way!And this is exactly the way to solve many
current problems and technical contradictions.
Just leave things as they are: let it be 110 and 220 volt, and 50 and 60 Hz.All that is needed is to create
ADAPTERS!
Just in order to solve these PKI-problems with “adapter solutions”
The International Association
«e-Signature Without Borders»was established in May 2008
www.e-swb.com
To the present moment we have developed the method, the technology and the prototype of the system components for universal validation of electronic digital signatures and electronic key certificates regardless of applied technologies, standards and algorithms and jurisdictions of a
signer and a receiver of an electronic document –PKI-ADAPTER.
BASIC PRINCIPLES OF OUR APPROACH TO PROBLEM SOLUTIONS
One of the possible solutions for the problem of PKI cross-border interoperability, widely discussed by officials, is the creation of
«Trust Environment».However, on our opinion, a concept of “Trust” is rather abstract. Different conditions can be laid down to initiate trust, trust can be refused at any moment.
That is why we suppose that it would be logical to talk about the creation of RESPONSIBILITY ENVIRONMENT!!
And, secondly, we think that, besides the provision of reliable user’s authentication, certificate validation and integrity and invariability of received document, it’s necessary to consider the final aim of
NON-REPUDIATIONwhile using PKI-technologies in cross-border interaction.
Responsibility environment
Is formed by: А) proper legal relationships, rights and obligations between parties of
validation process (charter of Association, agreements and contracts);
В) use of electronic signature certificates and devices that are unequivocally trusted by the parties of validation process (received from interested party of validation process).
С) The Association e-SWB guarantees legitimacy and authenticity of the validation process. Guarantee is provided by liability insurance of the Association and its members who take part in each separate validation process.
Provision of non-repudiation
The analysis of the available judicial practice shows that in a case of a dispute on electronic certificate or electronic signature repudiation by a signer, it’s reasonable to focus the main attention not on experts, but on witnesses – participants of the validity verification process. And each evidence is well documented – in a form of requests and receipts signed with eSignature that is legally valid in its own jurisdiction.
In this case, the complete legitimacy of the whole verification procedure is provided by the legitimacy of its each separate stage.
For more detailed information on the developed “Method for Authentication Provision in Cross Border Interaction” see the document:
http://e-swb.com/methodics.pdf
HASH and Confidentiality
While verifying eSignature we do not work with a signed document but use only a hash of the signed document.
Thereby, personal data protection and information confidentiality are provided.
Obtaining the confirmation of eSignature validity concerning the hash of a document the initiator of the verification process takes a final decision on eSignature validity concerning the whole document – based on the full identity of the decrypted and independently calculated hashes.
Client (ЕЕ) Client (RU)
1. Creation of a document signed with SKC SK
How it works on the examples of Russia (NCA) and Estonia (SK)
Client (ЕЕ) Client (RU)
2. The document is sent to the Recipient (RU)
3. The document verification request is formed.
4. The request is sent to the National Certification Authority (NCA)
Client (ЕЕ) Client (RU)
6. NCA creates a request on EDS verification to the e-SIGN VS.
5. The request is sent to NCA
Client (ЕЕ) Client (RU)
6. Verification of EDS and request structure
7. SKC verification applying OCSP SK
8. Verification of EDS on initial document 9. Signing the receipt on SKC of NCA
Verification of the request and creation of the receipt
Client (ЕЕ) Client (RU)
10. Sending the receipt to the NCA
Client (ЕЕ) Client (RU)
11. Receipt verification by NCA
10. Sending the receipt to NCA
12. Creation of the receipt to the client
13. Sending the receipt to the client
Real Results
• The presented method of interaction has been successfully tested. • To the present moment while interacting with the members of the
Association, the National Certification Authority (NCA) of Russia and SK of Estonia in the first place, tests have been held on validity verification of electronic signatures generated on certificates of Russia, Estonia, Finland, Lithuania, Austria, Belgium, Portugal in behalf of parties interacting within these jurisdictions.
• The tests were successful that is proved by the test protocol published on the Association website:
• …………..
Prospects
In our development strategy we proceed from the assumption that the whole interaction during the validation process should be carried out solely between the Association e-SWB and CA. The CA is the one that provides the interaction with the end user.
However, we don’t exclude a possibility of validation service provision via the corresponding WEB-portal.
Besides, another model of eSignature validation process is being developed when a signed document is submitted to the end user with a receipt signed with an electronic digital signature of its “home” certification service provider.
Conclusion
• On our opinion, given favourable conditions (good will, understanding and financing), the development of the presented method for authentication provision in cross-border electronic interaction can provide desired results – successful cross-border electronic interaction between citizens, business and state agencies from different jurisdictions - in short terms and with little financial expenses.
• Which, in its turn, will give new impetus to full-fledged and efficient development of cross-border projects in the spheres of eTrade, eProcurement, foreign economic activities, preliminary information, and such projects as PEPPOL, STORK, SPOCS.
THANK YOU FOR YOUR ATTENTION !!!
The International Association
«e-Signature Without Borders»
N.E. Ermakov, Board Member
www.e-swb.com [email protected]