Stan normalizacji usług zaufaniaMichał Tabor

O mnie

Ekspert ds. identyfikacji, uwierzytelnienia i podpisu elektronicznego

Kierownik badań i rozwoju Partner

RzeczoznawcaCzłonek komitetu normalizacyjnego

Normalizacja eIDAS w Europie

TC ESI Electronic Signatures and Infrastructures

TC 224 Personal identification and related personal

devices with secure element, systems, operations and privacy in a multi sectorial

environment

Zrozumieć oznaczenia standardów

DD L19 xxx-z

019 for ETSI Special Reports (SR)119 for ETSI Technical Specification (TS) and Technical Report (TR)219 for ETSI Standard (ES) and ETSI Guide (EG)319 for ETSI European Standard (EN)419 for CEN Technical Report (TR), Technical Specification (TS) or European Standard (EN)

eIDAS Standards Framework

6

Trust applicationservice providers

x19 5xx

TSPs supporting digital signatures

x19 4xx

Trust service status lists

119 6xx

General Framework

Trust services for:Issuing certificatesTime Stamping Signature creation servicesValidation services

Trust services for:Registered eDelivery / eMailLong term preservation

Signing Devices

419 2xxCC Protection ProfilesQSCD - Smart CardsHSM used as QSCDHSM used by TSPsRemote QSCD

Signature Creation & Validation

x19 1xx

Procedures for AdEScreation & validation

Formats:XAdES (XML)CAdES (CMS)PAdES (PDF)ASiC (containers)

Cryptographic suites

119 3xx Signature suites- Hash- Asymmetric crypto- Key generation- Lifetime

Standards framework

Common definitions

Guides

List of approved QTSPs & services supervised by National Bodies

119 0xx

Żródło: ETSI.

Opublikowane standardy ETSI

Trust applicationservice providers

x19 5xx

TSPs supporting digital signatures

x19 4xx

Trust service status lists

119 6xx

General Framework

Signing Devices

419 2xx

Signature Creation & Validation

x19 1xx

Cryptographic suites

119 3xx

119 0xx

Żródło: ETSI.

ETSI TR 119 001 V1.2.1 (2016-03)The framework for standardization of signatures; Definitions and abbreviations

ETSI TR 119 000 V1.2.1 (2016-04)The framework for standardization of signatures: overview

Opublikowane standardy ETSI

Trust applicationservice providers

x19 5xx

TSPs supporting digital signatures

x19 4xx

Trust service status lists

119 6xx

General Framework

Signing Devices

419 2xx

Signature Creation & Validation

x19 1xx

Cryptographic suites

119 3xx

119 0xx

Żródło: ETSI.

ETSI TR 119 100 V1.1.1 (2016-03)Guidance on the use of standards for signature creation and validationETSI TS 119 101 V1.1.1 (2016-03)Policy and security requirements for applications for signature creation and signature validationETSI EN 319 102-1 V1.1.1 (2016-05)Procedures for Creation and Validation of AdES Digital Signatures; Part 1: Creation and ValidationETSI EN 319 122-1 V1.1.1 (2016-04)CAdES digital signatures; Part 1: Building blocks and CAdES baseline signaturesETSI EN 319 132-1 V1.1.1 (2016-04)XAdES digital signatures; Part 1: Building blocks and XAdES baseline signaturesETSI EN 319 142-1 V1.1.1 (2016-04)PAdES digital signatures; Part 1: Building blocks and PAdES baseline signatures…. (łącznie 38 standardów)

Opublikowane standardy ETSI

Trust applicationservice providers

x19 5xx

TSPs supporting digital signatures

x19 4xx

Trust service status lists

119 6xx

General Framework

Signing Devices

419 2xx

Signature Creation & Validation

x19 1xx

Cryptographic suites

119 3xx

119 0xx

Żródło: ETSI.

ETSI TS 119 312 V1.2.1 (2017-05)Cryptographic Suites

ETSI TR 119 300 V1.2.1 (2016-03)Guidance on the use of standards for cryptographic suites

Opublikowane standardy ETSI

Trust applicationservice providers

x19 5xx

TSPs supporting digital signatures

x19 4xx

Trust service status lists

119 6xx

General Framework

Signing Devices

419 2xx

Signature Creation & Validation

x19 1xx

Cryptographic suites

119 3xx

119 0xx

Żródło: ETSI.

ETSI TR 119 400 V1.1.1 (2016-03)Guidance on the use of standards for trust service providers supporting digital signatures and related servicesETSI EN 319 421 V1.1.1 (2016-03)Policy and Security Requirements for Trust Service Providers issuing Time-StampsETSI EN 319 422 V1.1.1 (2016-03)Time-stamping protocol and time-stamp token profilesETSI EN 319 412-1,2,3,4,5 V1.1.1 (2016-02)Certificate Profiles; Part 1: Overview and common data structures Part 2: Certificate profile for certificates issued to natural personsPart 3: Certificate profile for certificates issued to legal persons Part 4: Certificate profile for web site certificatesPart 5: QCStatementsETSI EN 319 403 V2.2.2 (2015-08)Trust Service Provider Conformity Assessment - Requirements for conformity assessment bodies assessing Trust Service ProvidersETSI EN 319 401 V1.1.1 (2013-01)General Policy Requirements for Trust Service Providers supporting Electronic Signatures

Opublikowane standardy ETSI

Trust applicationservice providers

x19 5xx

TSPs supporting digital signatures

x19 4xx

Trust service status lists

119 6xx

General Framework

Signing Devices

419 2xx

Signature Creation & Validation

x19 1xx

Cryptographic suites

119 3xx

119 0xx

Żródło: ETSI.

ETSI SR 019 510 V1.1.1 (2017-05)Electronic Signatures and Infrastructures (ESI); Scoping study and framework for standardization of long-term data preservation services, including preservation of/with digital signatures

Opublikowane standardy ETSI

Trust applicationservice providers

x19 5xx

TSPs supporting digital signatures

x19 4xx

Trust service status lists

119 6xx

General Framework

Signing Devices

419 2xx

Signature Creation & Validation

x19 1xx

Cryptographic suites

119 3xx

119 0xx

Żródło: ETSI.

ETSI TS 119 614-1 V1.1.1 (2016-06)Testing Conformance and Interoperability of Trusted Lists; Part 1: Specifications for testing conformance of XML representation of Trusted Lists

ETSI TS 119 612 V2.2.1 (2016-04)Trusted Lists

ETSI TR 119 600 V1.2.1 (2016-03)Guidance on the use of standards for trust service status lists providers

Validation Report-TS 119 102-2

Wymagania dot. walidacji -TS 119 441/2

Trwające prace ETSI / CEN

Trust applicationservice providers

x19 5xx

TSPs supporting digital signatures

x19 4xx

Trust service status lists

119 6xx

General Framework

Signing Devices

419 2xx

Signature Creation & Validation

x19 1xx

Cryptographic suites

119 3xx

119 0xx

Żródło: ETSI.

Certyfikaty wspierającePSD2 - TS 119 495

Podpisy zdalne – wymagania EN 419 4xx

Wymagania w zakresiekonserwacji TS 119 511/2

Wymagania dla dostawców usług zaufaniawydających certyfikaty - EN 319 411-1/2

Podpisy zdalne –wymagania TS 119 431/2

Forum eIDAS_PLForum wymiany wiedzy w zakresie Rozporządzenia eIDAS w Polsce

Spotkanie jest nagrywane w zakresie publikowanych slajdów, głosu osób wypowiadających się a także na wizerunku osób prezentujących.

Uczestnictwo w spotkaniu oznacza wyrażenie zgody na opublikowanie ww. informacji.

eIDAS Twitter: @eIDAS_PLPytania i uwagi: michal@tabor.waw.plForum: http://yammer.com/eidaspl

PYTANIA I ODPOWIEDZI

Prace ETSI w toku• Updates to TSP Policy Requirements: EN 319 411-1/2

• Support for PSD2 use of Qualified certificates

• Signature Validation

• Remote signing• CEN Standards• ETSI Standards

• Electronic Registered Delivery and Registered Electronic Mail Services

• Long term (signature) preservation

• Using Trusted Lists

• Internationalisation

• Use of Existing and upcoming Standards as QSealCD15

Żródło: ETSI.

Updates to TSP Policy Requirements:EN 319 411-1/2

• Each individual requirement clearly identified

• Alignment with CA Browser Forum (EVCG V.1.6.1 for ECVP and BRG v1.4.2)

• Several detailed clarifications

• OCSP & CRL: OCSP recommended (not mandated),support for long term validation,details on OCSP requirements

• Clearly identify requirement relating to a specific component

Under EN approval: Ballot close End Nov

Documents (with revisions marked):https://docbox.etsi.org/esi/Open/Compared_deliverables

16

Żródło: ETSI.

Qualified Certificates under PSD2 new

Background

• Directive 2015/2366/EU aimed at regulating “payment services”

• Draft Regulatory Technical Standards:– High level technical requirements for:

• strong customer authentication• common and secure open standards of communication

– Final publication by commission due November 2017– Requires use of qualified Certificates for secure communications & transactions

between payment service providers:• Web site authentication certificates• e-Seal certificates

– Requires PSD2 Specific certificate attributes • Identifies member state competent authority • Payment services authorised

17

Żródło: ETSI.

Signature Validation

• Standards being developed:– TS 119 102-2: Validation Report– TS 119 441: Policy requirements for TSPs providing Signature validation

services– TS 119 442: Protocol for signature validation services

• Protocol features:– Supports both XML and JSON exchanges– Aligned with OASIS DSS

• Timescale– Stable draft for review: Dec 2017– Publication: Sept 2018

• Open Workshop– 10th January 2018

18

Remote SigningCEN Standards for Trustworthy Systems

• Draft CEN Standards:– prEN 419 241-1: General System requirements

– prEN 419 241-2: Protection Profile for QSCD for Server Signing

– prEN 419 221-5: Cryptographic module

• Authentication can be delegated to an Identity Provider outside QSCD

• Timescale:– EN 419 241-1: 1st round agreed with minor revisions, final approval by end 2017

– EN 419 241-2: 1st round agreed subject to evaluation under Common criteria, aim final approval Q1 2018

– EN 419 221-5: Final approval by end 2017

19

© ETSI 2017. All rights reserved

ETSI Signature Creation Protocols & TSP Component Policy Requirements

• Standards being developed:– TS 119 431-1: Policy and security requirements for TSP service

components operating a remote QSCD / SCD– TS 119 431-2: Policy and security requirements for TSP service

components supporting AdES digital signature creation– TS 119 432: Protocols for remote digital signature creation

• Timescale– Started work on detailing scope– Funded STF activity started: Oct 2017– Stable draft for review: June 2018– Publication: Nov 2018

20

© ETSI 2017. All rights reserved

Electronic Registered Delivery and Registered Electronic Mail

• Existing standards:– TS 102 640 (parts 1 to 6) Registered Electronic Mail

• Standards being developed– EN 319 522: Electronic Registered Delivery Services

– EN 319 532: Registered Electronic Mail (REM) Services

– EN 319 521: Policy and security requirements for Electronic Registered Delivery Service Providers

– EN 319 531: Policy and security requirements for Registered Electronic Mail Service Providers

– TS 119 524: Testing Conformance and Interoperability of Electronic Registered Delivery Services

– TS 119 534: Testing Conformance and Interoperability of Registered Electronic Mail Services

• Timescale– Stable draft of ENs for review: End Oct 2017

– EN approval starts: End April 2018

– ENs published : Feb 2019

© ETSI 2017. All rights reserved

21

Long term (signature) preservation

• Work started:– TS 119 511 Policy & security requirements for trust service providers

providing long-term preservation of digital signatures or unsigned data using signature techniques

– TS 119 512 Protocols for trust service providers providing long-term preservation of digital signatures or unsigned data using signature techniques

• Time scale:– Stable draft for review April 2018– Publication: November 2018

© ETSI 2017. All rights reserved

22

Forum eIDAS_PLForum wymiany wiedzy w zakresie Rozporządzenia eIDAS w Polsce

Spotkanie jest nagrywane w zakresie publikowanych slajdów, głosu osób wypowiadających się a także na wizerunku osób prezentujących.

Uczestnictwo w spotkaniu oznacza wyrażenie zgody na opublikowanie ww. informacji.

eIDAS Twitter: @eIDAS_PLPytania i uwagi: michal@tabor.waw.pForum: http://yammer.com/eidaspl

PYTANIA I ODPOWIEDZI