25 martie 2022 Bridges between Certification Authorities
Dec 18, 2015
18 aprilie 202318 aprilie 2023
Bridges between Certification Authorities
Bridges between Certification Authorities
ContentContent
1. EU Services Directive
2. Interoperability of EU security
infrastructures
3.3. Interoperability of electronic signaturesInteroperability of electronic signatures
4.4. ConclusionsConclusions
1. EU Services Directive
2. Interoperability of EU security
infrastructures
3.3. Interoperability of electronic signaturesInteroperability of electronic signatures
4.4. ConclusionsConclusions
Directive 2006/123/ECDirective 2006/123/EC
By the end of 2009, service providers should be
able to use, nationally and cross-borders,
electronic procedures as set out in Art. 8 of the
Services Directive.
Main building blocks for the use of e-procedures:
e-signatures
e-identification and
e-documents
By the end of 2009, service providers should be
able to use, nationally and cross-borders,
electronic procedures as set out in Art. 8 of the
Services Directive.
Main building blocks for the use of e-procedures:
e-signatures
e-identification and
e-documents
Directive 2006/123/ECDirective 2006/123/EC
Steps to be followed to implement the e-
procedures:
Define interoperability framework between
Certificate Service Providers from all the
Member States
Define common formats for the e-signatures
Possible solutions for interoperability
Bridge Certification Authorities
Trusted Lists
Steps to be followed to implement the e-
procedures:
Define interoperability framework between
Certificate Service Providers from all the
Member States
Define common formats for the e-signatures
Possible solutions for interoperability
Bridge Certification Authorities
Trusted Lists
2. Interoperability of EU security infrastructures2. Interoperability of EU security infrastructures
18 aprilie 202318 aprilie 2023
Bridge Certification AuthoritiesBridge Certification Authorities
PKIs evolve from organizational islands towards national and international wide networks interconnected via bridging entities.
BCA’s provide cryptographic interoperability, policies harmonization and certificate status validation related services.
There is not yet a standardized solution for building BCAs but there are already implementation at international and national level.
PKIs evolve from organizational islands towards national and international wide networks interconnected via bridging entities.
BCA’s provide cryptographic interoperability, policies harmonization and certificate status validation related services.
There is not yet a standardized solution for building BCAs but there are already implementation at international and national level.
18 aprilie 202318 aprilie 2023
Bridge Certification AuthoritiesBridge Certification Authorities
Corporate/governmental PKIs may implement different architectures, security policies, and cryptographic suites.
A flexible mechanism is needed to link corporate/governmental PKIs and translate their corporate relationship into the electronic world.
BCA architecture was designed to address the shortcomings of the two basic PKI architectures, and to link PKIs that implement different architectures.
Corporate/governmental PKIs may implement different architectures, security policies, and cryptographic suites.
A flexible mechanism is needed to link corporate/governmental PKIs and translate their corporate relationship into the electronic world.
BCA architecture was designed to address the shortcomings of the two basic PKI architectures, and to link PKIs that implement different architectures.
18 aprilie 202318 aprilie 2023
Establish trust relationshipsEstablish trust relationships
User trusts the CA that issued his certificate
Bridge CA
Organizational PKI 2
Crossscertification
Organizational PKI 1
Crosscertification
Subordinate CA
Subordinate CA
Subordination
Subordinate CA
Subordinate CA
Subordination
User PKI1
Digital certificate
User PKI2
Digital certificate
Trust relationship established hierarchically within the organizational PKI
Trust relationship established using cross-certification between each Organizational PKI and Bridge
User PKI 1
Org. PKI 1
Bridge CA
Org. PKI 2
User PKI 2
Trusts
Trusts
Trusts
Trusts
Trusts
Trusts
Trusts
Trusts
Trusted ListsTrusted Lists
“Trusted List”: term used to designate the Supervision/ Accreditation Status List of those services from QCSPs that are supervised/ accredited by a Member State's Supervisory Body that is in charge to establish, securely publish and maintain such a list in the context and requirements of the eSignature Directive (1999/93/EC).
“Trusted List”: term used to designate the Supervision/ Accreditation Status List of those services from QCSPs that are supervised/ accredited by a Member State's Supervisory Body that is in charge to establish, securely publish and maintain such a list in the context and requirements of the eSignature Directive (1999/93/EC).
Trusted ListsTrusted Lists
Trusted List aims to solve the validation problem of QES (Qualified Electronic Signatures) and AdES (Advanced Electronic Signatures) supported by QEC (Qualified Electronic Certificate) in a cross-border context:
supports the interoperability and facilitates the cross-border use of e-signatures
contains structured information needed for the validation of the electronic signature by the relying party
complements the information available in the certificate of the signer and related chain of certification supporting a QES or an AdES supported by a QEC
Trusted List aims to solve the validation problem of QES (Qualified Electronic Signatures) and AdES (Advanced Electronic Signatures) supported by QEC (Qualified Electronic Certificate) in a cross-border context:
supports the interoperability and facilitates the cross-border use of e-signatures
contains structured information needed for the validation of the electronic signature by the relying party
complements the information available in the certificate of the signer and related chain of certification supporting a QES or an AdES supported by a QEC
Interoperability of electronic signaturesInteroperability of electronic signatures
A reference format for AdES is needed to facilitate the cross-border use of QES
Using XAdES (CAdES), signers may incorporate certain
properties into the XMLSig (CMS) signature structure before
computing the signature value and including them in its
computation.
Signers or other parties may request and incorporate a
time-stamp on the signature, which provides a trusted
upper boundary on the generation time.
Using XAdES (CAdES), verifiers or third parties may
incorporate properties encompassing the long-term lifecycle
of the signature, which after their generation includes first
verification, storage for several years, and auditing.
A reference format for AdES is needed to facilitate the cross-border use of QES
Using XAdES (CAdES), signers may incorporate certain
properties into the XMLSig (CMS) signature structure before
computing the signature value and including them in its
computation.
Signers or other parties may request and incorporate a
time-stamp on the signature, which provides a trusted
upper boundary on the generation time.
Using XAdES (CAdES), verifiers or third parties may
incorporate properties encompassing the long-term lifecycle
of the signature, which after their generation includes first
verification, storage for several years, and auditing.
Interoperability of electronic signaturesInteroperability of electronic signatures
ETSI organizes XAdES/CAdES interoperability
tests
certSIGN
the only Romanian company involved in the
ETSI interoperability tests
developed its own software for implementing
XAdES/CAdES signature formats
successfully passed the tests
ETSI organizes XAdES/CAdES interoperability
tests
certSIGN
the only Romanian company involved in the
ETSI interoperability tests
developed its own software for implementing
XAdES/CAdES signature formats
successfully passed the tests
ConclusionsConclusions
Solving interoperability issues is the keystone element of implementing pan-European servicesGovernments, industry and independent organizations shall be involvedcertSIGN– reliable partner to implement interoperability projects based on:
Previous experience in implementing operational Bridging Certification Authorities (Romanian National Defense System)Own developed software modules tested in ETSI interoperability testsCompetencies in PKI and information security field
Solving interoperability issues is the keystone element of implementing pan-European servicesGovernments, industry and independent organizations shall be involvedcertSIGN– reliable partner to implement interoperability projects based on:
Previous experience in implementing operational Bridging Certification Authorities (Romanian National Defense System)Own developed software modules tested in ETSI interoperability testsCompetencies in PKI and information security field
ContactContact
Adrian Floarea
Business Development Director
certSIGN
Phone: 004-021-311.9901
Fax: 004-021-311.9905
Mobil: 004-0726.678.375
e-mail: [email protected]
Adrian Floarea
Business Development Director
certSIGN
Phone: 004-021-311.9901
Fax: 004-021-311.9905
Mobil: 004-0726.678.375
e-mail: [email protected]