Aktueller Überblick über die Standardisierungsaktivitäten der EU … · 2015-03-02 · ETSI TS 101 903 ETSI TS 102 023 Guidance on TS 101 456 ETSI TS 102 437 ETSI TR 102 458 ETSI

Aktueller Überblick über die

Standardisierungsaktivitäten der EU

auf dem Gebiet der Elektronischen Signaturen

Arno Fiedler

Nimbus Technologieberatung GmbH

Geschäftsführer

Tele

Tru

sT

Deuts

chla

nd e

.V.

Elektronische Signaturen und Zertifikate entfalten nur ihren

Nutzen, wenn durch eine hinreichend große Zahl an potenziellen

darauf Vertrauenden der Netzwerkeffekt eintritt.

Im Europäischen Kontext des elektronischen Geschäftsverkehres

ist der Bedarf an starker Authentisierung und einer Nicht-

Abstreitbarkeit von Willenserklärungen größer als im nationalen

System mit gewachsen Kundenbeziehungen.

Die Europäische Dienstleistungsrichtlinie fördert die berufliche

Freizügigkeit und fordert die nationalen E-Government-Systeme

heraus, übergreifende Konzepte und Lösungen für ein elektronisch

gestütztes Identitätsmanagement zu schaffen.

Grundlagen zur Signaturstandardisierung

Seite

2

Tele

Tru

sT

Deuts

chla

nd e

.V.

Facetten der eID-Standardisierung

eID-Standardisierung betrifft immer mindestens drei Ebenen:

Herausgeber bzw. Trust Service Provider

Inhaber bzw. Nutzer

Vertrauende Instanz bzw. Empfänger

Standardisierung DARF NICHT Selbstzweck sein.

Wer finanziert, bestimmt die (hoffentlich offenen) "Standards".

Standardisierung ohne Konformität und Testung ist nicht sinnvoll.

Seite

3

Tele

Tru

sT

Deuts

chla

nd e

.V.

Seite

4

Facetten der eID-Standardisierung

Standardisierung findet lokal, national (TR eID, eCARD, OSCI), europäisch (CEN versus ETSI ) und international (ISO/ITU) statt, selten global einheitlich(ICAO, OSI X.509).

Standardisierung erfolgt durch offizielle Gremien in großer Menge und Vielzahl

durch Inoffizielle Allianzen mit großem Erfolg (RFC´s, CAB/Forum, OASIS, pdf…)

Es gibt für fast alles mindestens einen Standard!

Die Entwicklung "neuer" Standards ist selten sinnvoll, bei vielen ist aber eine Aktualisierung und Harmonisierung dringend erforderlich.

Tele

Tru

sT

Deuts

chla

nd e

.V.

Page 5

Survey results: overview of EU ES stds EU eSignature Standardisation Work overview (© SEALED, 2007)

Directive 1999/93/EC

Decision

2003/511/EC

complements

CWA 14167-1

CWA 14167-2

CWA 14167-3

CWA 14167-4

CSP Trustworthy systems

Crypto Modules

March 2002

May 2004

CWA 14169

SSCDs EAL 4+

stipulates

March 2002

March 2004

March 2003

June 2003

CWA 14172-1

CWA 14172-7

CWA 14172-3

CWA 14172-2

Conformity

Assessment

Guidance

assessment guidance of

assessment

guidance of

CWA 14172-5

CWA 14172-8

CWA 14172-6

assessment guidance of

ETSI TS 102 176-1/2

ALGO

CSP Practices

Certificates

ETSI TS 101 456

ETSI TS 102 042

ETSI TS 101 862

ETSI TS 102 280

CWA 14355

CWA 14172-4

Guidelines for

implementation

of SSCDs

2000/709/EC

complements

TSA Practices

ETSI TR 102 044

Signature creation Signature verification Signature format

CWA 14170 CWA 14171

CWA 14365-1/2

Guide on ES use

Signature policy

International

harmonisation

of ES format

International

harmonisation of

Certificate Policies

ETSI TR 102 040

Harmonised TSP

status information

ETSI TS 102 231

ETSI TS 102 158

ETSI TS 101 733

ETSI TS 101 903

ETSI TS 102 023

Guidance on

TS 101 456

ETSI TS 102 437

ETSI TR 102 458

ETSI TS 102 045

Signature profiles

(eGov, eInv, Generic)

ETSI TS 102 734

ETSI TS 102 904

TimeStamping

Profile

ETSI TS 101 861

Digital Accounting domain

Registered Electronic Mail

ETSI TR 102 572

ETSI TS 102 573

ETSI TR 102 605

DTS/ESI000052-1/3 DRAFTBest practices

TSP Pol. reqts

Existing practices

ETSI TS 102 047

ETSI TR 102 272

Algorithms & Param.

(intro)

CWA 15579

eInvoicing &

Digital Signatures

ETSI TS 102 038

ETSI TR 102 041

Mobile signature standards

(mCommerce)

Tele

Tru

sT

Deuts

chla

nd e

.V.

Seite

6

Facetten der eID-Standardisierung

Die EU-Kommission hat den Harmonisierungsbedarf in Bezug auf die Signaturstandardisierung erkannt und im Mandate 460 CEN/CENELEC und ETSI damit beauftragt.

Die geplanten Standardisierungsaktivitäten sind in folgendem Dokument beschrieben:

ETSI draft Special Report V0.0.2 (2011-08): <Rationalised

Framework for Electronic Signature Standardisation>

Dieses Dokument ist nun in der öffentlichen Kommentierung,

die nachfolgenden Folien mögen dazu motivieren, sich daran

zu beteiligen.

Tele

Tru

sT

Deuts

chla

nd e

.V.

Struktur des Standardisierungsrahmen

Seite

7

Signature Creation

& Validation

TSPs supporting

eSignature

Trust Application

Service Providers

Trust Service Status Lists Providers

Signature

Creation Devices

Cryptographic

Suites

1

2 3

54

6

Tele

Tru

sT

Deuts

chla

nd e

.V.

Geplante Typen von Dokumenten

Seite

8

Policy & Security Requirements

Guidance

Conformance Assessment

Testing Compliance & Interoperability

Technical Specifications

Tele

Tru

sT

Deuts

chla

nd e

.V.

Detaillierte Struktur des Rahmens

Seite

9

Signature Creation & Validation

TSPs supporting eSignature Trust Application Service Providers

Trust Service Status (Lists) Providers

Signature Creation Devices Cryptographic Suites

TSPQC TSPPKC TSSP SGSP SVSP REM & eDelivery Information Preservation

CAdES XAdES PAdES ASiC …

SSCD SCD used by TSPs Suites Requirements

Guidance

© ETSI 2011. All rights reserved21

Policy & Security Requirements

Guidance

Conformance Assessment

Testing Compliance & Interoperability

Technical Specifications

Policy & Security Requirements

Guidance

Conformance Assessment

Testing Compliance & Interoperability

Technical Specifications

Policy & Security Requirements

Guidance

Conformance Assessment

Testing Compliance & Interoperability

Technical Specifications

Policy & Security Requirements

Guidance

Conformance Assessment

Testing Compliance & Interoperability

Technical Specifications

Policy & Security Requirements

Guidance

Conformance Assessment

Testing Compliance & Interoperability

Technical Specifications

Policy & Security Requirements

Guidance

Conformance Assessment

Testing Compliance & Interoperability

Technical Specifications

Policy & Security Requirements

Guidance

Conformance Assessment

Testing Compliance & Interoperability

Technical Specifications

Policy & Security Requirements

Guidance

Conformance Assessment

Testing Compliance & Interoperability

Technical Specifications

Policy & Security Requirements

Guidance

Conformance Assessment

Testing Compliance & Interoperability

Technical Specifications

Policy & Security Requirements

Guidance

Conformance Assessment

Testing Compliance & Interoperability

Technical Specifications

Policy & Security Requirements

Guidance

Conformance Assessment

Testing Compliance & Interoperability

Technical Specifications

Policy & Security Requirements

Guidance

Conformance Assessment

Testing Compliance & Interoperability

Technical Specifications

Policy & Security Requirements

Guidance

Conformance Assessment

Testing Compliance & Interoperability

Technical Specifications

Other SCDs

Policy & Security Requirements

Guidance

Conformance Assessment

Testing Compliance & Interoperability

Technical Specifications

Policy & Security Requirements

Guidance

Conformance Assessment

Testing Compliance & Interoperability

Technical Specifications

Policy & Security Requirements

Guidance

Conformance Assessment

Testing Compliance & Interoperability

Technical Specifications

Policy & Security Requirements

Guidance

Conformance Assessment

Testing Compliance & Interoperability

Technical Specifications

Policy & Security Requirements

Guidance

Conformance Assessment

Testing Compliance & Interoperability

Technical Specifications

Policy & Security Requirements

Guidance

Conformance Assessment

Testing Compliance & Interoperability

Technical Specifications

Policy & Security Requirements

Guidance

Conformance Assessment

Testing Compliance & Interoperability

Technical Specifications

Tele

Tru

sT

Deuts

chla

nd e

.V.

Teilbereich Signaturerzeugung -Validierung

Seite

10

Signature Creation and Validation

Sub-areas

Guidance

TR 1 66 1 0 0 Business Driven Guidance for Signature Creation and Validation

Policy & Security Requirements

EN 3 66 1 0 1 Policy & Security Requirements for Signature Creation and Validation

EN 3 66 1 1 1 Protection Profiles for Signature Creation & Validation Applications

Technical Specifications

EN 3 66 1 1 2 Procedures for Signature Creation and Validation

EN 3 66 1 2 2 CAdES - CMS Advanced Electronic Signature Formats

EN 3 66 1 3 2 XAdES - XML Advanced Electronic Signature Formats

EN 3 66 1 4 2 PAdES - PDF Advanced Electronic Signature Formats

EN 3 66 1 5 2 ASiC - Associated Signature Containers

EN 3 66 1 6 2 Signature Policies

Conformance Assessment

EN 3 66 1 1 3 Conformance Assessment for Signature Creation & Validation Applications (& Procedures)

Testing Compliance & Interoperability

TS 1 66 1 0 4 General requirements on Testing Compliance & Interoperability of SC&V

TS 1 66 1 2 4 CAdES Testing Compliance & Interoperability

TS 1 66 1 3 4 XAdES Testing Compliance & Interoperability

TS 1 66 1 4 4 PAdES Testing Compliance & Interoperability

TS 1 66 1 5 4 ASiC Testing Compliance & Interoperability

TS 1 66 1 6 4 Testing Compliance & Interoperability of Signature Policies

Tele

Tru

sT

Deuts

chla

nd e

.V.

Signaturerstellungseinheiten (Token, HSM)

Seite

11

Signature Creation Devices

Sub-areas

Guidance

TR 1 66 2 0 0 Business Driven Guidance for Signature Creation Devices

Policy & Security Requirements

EN 3 66 2 1 1 Protection Profiles for Secure Signature Creation Devices

EN 3 66 2 2 1 Protection Profiles for Signature Creation Devices used by TSPs

EN 3 66 2 3 1 Protection Profiles for other Signature Creation Devices

Technical Specifications

EN 3 66 2 1 2 APIs for SSCDs

Conformance Assessment

EN 3 66 2 0 3 General requirements for Signature Creation Device Conformance Assessment

EN 3 66 2 1 3 Conformance Assessment for SSCDs

EN 3 66 2 2 3 Conformance Assessment for Signature Creation Devices used by TSPs

EN 3 66 2 3 3 Conformance Assessment for other Signature Creation Devices

Testing Compliance & Interoperability

- - - - - no requirement identified

Tele

Tru

sT

Deuts

chla

nd e

.V.

Kryptographie (Maßnahmenkatalog?)

Seite

12

Cryptographic Suites

Sub-areas

Guidance

TR 1 66 3 0 0 Business Driven Guidance for Cryptographic Suites

Technical Specifications

EN 3 66 3 1 2 Cryptographic Suites for Secure Electronic Signatures

Testing Compliance & Interoperability

TS 1 66 3 1 4 Testing of implementations of cryptographic algorithms

Tele

Tru

sT

Deuts

chla

nd e

.V.

"Trust Service Provider" Typen

Seite

13

TSPs Supporting Electronic Signatures

Sub-areas

Guidance

TR 1 66 4 0 0 Business Driven Guidance for TSPs Supporting Electronic Signatures

Policy & Security Requirements

EN 3 66 4 0 1 General Policy & Security Requirements for TSPs Supporting Electronic Signatures

EN 3 66 4 1 1 Policy & Security Requirements for TSPs Issuing Qualified Certificates

EN 3 66 4 2 1 Policy & Security Requirements for TSPs issuing Public Key Certificates

EN 3 66 4 3 1 Policy & Security Requirements for TSPs providing Time-Stamping Services

EN 3 66 4 4 1 Policy & Security Requirements for TSPs providing Signature Generation Services

EN 3 66 4 5 1 Policy & Security Requirements for TSPs providing Signature Validation Services

Technical Specifications

EN 3 66 4 1 2 Profiles for TSPs issuing Qualified Certificate

EN 3 66 4 2 2 Profiles for TSPs issuing Public Key Certificates

EN 3 66 4 3 2 Profiles for TSPs providing Time-Stamping services

EN 3 66 4 4 2 Profiles for TSPs provding Signature Generation Services

EN 3 66 4 5 2 Profiles for TSPs providing Signature Validation Services

Conformance Assessment

EN 3 66 4 0 3 General requirements and guidance for Conformance Assessment of TSPs supporting e-Signatures

EN 3 66 4 1 3 Conformance Assessment for TSPs Issuing Qualified Certificates

EN 3 66 4 2 3 Conformance Assessment for TSPs Issuing Public Key Certificates

EN 3 66 4 3 3 Conformance Assessment for TSPs providing Time-Stamping Services

EN 3 66 4 4 3 Conformance Assessment for TSPs providing Signature Generation Services

EN 3 66 4 5 3 Conformance Assessment for TSPs providing Signature Validation Services

Testing Compliance & Interoperability

- - - - - no requirement identified for such a document

Tele

Tru

sT

Deuts

chla

nd e

.V.

Spezifischen Trustcenterdienste

Seite

14

Trust Application Service Providers

Sub-areas

Guidance

TR 1 66 5 0 0 Business Driven Guidance for Trust Application Service Providers

Policy & Security Requirements

EN 3 66 5 0 1 General Policy & Security Requirements for Trust Application Service Providers

EN 3 66 5 1 1 Policy & Security Requirements for Registered Electronic Mail (REM) and Registered Electronic Delivery (RED) Service Providers

EN 3 66 5 2 1 Policy & Security Requirements for Information Preservation Service Providers (IPSPs)

Technical Specifications

EN 3 66 5 1 2 Registered Electronic Mail (REM) and Registered Electronic Delivery (RED) Services

EN 3 66 5 2 2 Information Preservation Services through signing

Conformance Assessment

EN 3 66 5 0 3 General requirements and guidance for Conformance Assessment of TASPs

EN 3 66 5 1 3 Conformance Assessment of REM and RED Service Providers

EN 3 66 5 2 3 Conformance Assessment of Information Preservation Service Providers

Testing Compliance & Interoperability

TS 1 66 5 0 4 General requirements for Testing Compliance & Interoperability of TASPs

TS 1 66 5 1 4 Testing Compliance & Interoperability of REM and RED Service Providers

Tele

Tru

sT

Deuts

chla

nd e

.V.

Trustservice Status List Trustcenter

Seite

15

Trust Service Status Lists Providers

Sub-areas

Guidance

TR 1 66 6 0 0 Business Driven Guidance for Trust Service Status Lists Providers

Policy & Security Requirements

EN 3 66 6 0 1 General Policy & Security Requirements for Trust Service Status Lists Providers

EN 3 66 6 1 1 Policy & Security Requirements for Trusted Lists Providers

Technical Specifications

EN 3 66 6 0 2 Trust Service Status Information Formats

EN 3 66 6 1 2 Trusted Lists

Conformance Assessment

EN 3 66 6 0 3 General requirements and guidance for Conformance Assessment of TSSLPs

EN 3 66 6 1 3 Conformance Assessment of Trusted List Providers

Testing Compliance & Interoperability

TS 1 66 6 0 4 General requirements for Testing Compliance & Interoperability of TSSLPs

TS 1 66 6 1 4 Testing Compliance & Interoperability of Trusted Lists

Tele

Tru

sT

Deuts

chla

nd e

.V.

Schnittmenge zwischen TSP und CSP

Seite

16

TSP

TSPs supporting

eSignatures

Trust Application

Service Provider

CSP as per Dir 1999/93/EC

Tele

Tru

sT

Deuts

chla

nd e

.V.

Seite

17

Fazit

Geplante Fertigstellung der EU-Signaturbaumaßnahme bis Ende 2012:

Viele gut verständliche Standards in neuer Struktur, somit

"Alter, aber guter Wein in neuen Schläuchen" allerdings

Papier ist geduldig, "ePaper" wird noch geduldiger.

Spannungsfeld der Anforderungen

Kosten/ Nutzen

© 1999 Arno Fiedler

Tele

Tru

sT

Deuts

chla

nd e

.V.

Seite

19

Murphy‘s Laws on Justice (Bureaucracy?):

If the government hasn‘t taxed, licensed

or regulated it, isn‘t probably worth

anything.

Bedarf an Regulierung?

Dipl. Wirtsch.- Ing. Arno Fiedler

Nimbus Technologieberatung GmbH

Reichensteiner Weg 17

14195 Berlin

arno.fiedler@nimbus-berlin.com

Mobil: 0172-3053272