18 aprilie 202318 aprilie 2023

Bridges between Certification Authorities

Bridges between Certification Authorities

ContentContent

1. EU Services Directive

2. Interoperability of EU security

infrastructures

3.3. Interoperability of electronic signaturesInteroperability of electronic signatures

4.4. ConclusionsConclusions

1. EU Services Directive

2. Interoperability of EU security

infrastructures

3.3. Interoperability of electronic signaturesInteroperability of electronic signatures

4.4. ConclusionsConclusions

1. EU Services Directive1. EU Services Directive

Directive 2006/123/ECDirective 2006/123/EC

By the end of 2009, service providers should be

able to use, nationally and cross-borders,

electronic procedures as set out in Art. 8 of the

Services Directive.

Main building blocks for the use of e-procedures:

e-signatures

e-identification and

e-documents

By the end of 2009, service providers should be

able to use, nationally and cross-borders,

electronic procedures as set out in Art. 8 of the

Services Directive.

Main building blocks for the use of e-procedures:

e-signatures

e-identification and

e-documents

Directive 2006/123/ECDirective 2006/123/EC

Steps to be followed to implement the e-

procedures:

Define interoperability framework between

Certificate Service Providers from all the

Member States

Define common formats for the e-signatures

Possible solutions for interoperability

Bridge Certification Authorities

Trusted Lists

Steps to be followed to implement the e-

procedures:

Define interoperability framework between

Certificate Service Providers from all the

Member States

Define common formats for the e-signatures

Possible solutions for interoperability

Bridge Certification Authorities

Trusted Lists

2. Interoperability of EU security infrastructures2. Interoperability of EU security infrastructures

18 aprilie 202318 aprilie 2023

Bridge Certification AuthoritiesBridge Certification Authorities

PKIs evolve from organizational islands towards national and international wide networks interconnected via bridging entities.

BCA’s provide cryptographic interoperability, policies harmonization and certificate status validation related services.

There is not yet a standardized solution for building BCAs but there are already implementation at international and national level.

PKIs evolve from organizational islands towards national and international wide networks interconnected via bridging entities.

BCA’s provide cryptographic interoperability, policies harmonization and certificate status validation related services.

There is not yet a standardized solution for building BCAs but there are already implementation at international and national level.

18 aprilie 202318 aprilie 2023

Bridge Certification AuthoritiesBridge Certification Authorities

Corporate/governmental PKIs may implement different architectures, security policies, and cryptographic suites.

A flexible mechanism is needed to link corporate/governmental PKIs and translate their corporate relationship into the electronic world.

BCA architecture was designed to address the shortcomings of the two basic PKI architectures, and to link PKIs that implement different architectures.

Corporate/governmental PKIs may implement different architectures, security policies, and cryptographic suites.

A flexible mechanism is needed to link corporate/governmental PKIs and translate their corporate relationship into the electronic world.

BCA architecture was designed to address the shortcomings of the two basic PKI architectures, and to link PKIs that implement different architectures.

18 aprilie 202318 aprilie 2023

Bridge Certification AuthoritiesBridge Certification Authorities

18 aprilie 202318 aprilie 2023

Establish trust relationshipsEstablish trust relationships

User trusts the CA that issued his certificate

Bridge CA

Organizational PKI 2

Crossscertification

Organizational PKI 1

Crosscertification

Subordinate CA

Subordinate CA

Subordination

Subordinate CA

Subordinate CA

Subordination

User PKI1

Digital certificate

User PKI2

Digital certificate

Trust relationship established hierarchically within the organizational PKI

Trust relationship established using cross-certification between each Organizational PKI and Bridge

User PKI 1

Org. PKI 1

Bridge CA

Org. PKI 2

User PKI 2

Trusts

Trusts

Trusts

Trusts

Trusts

Trusts

Trusts

Trusts

Trusted ListsTrusted Lists

“Trusted List”: term used to designate the Supervision/ Accreditation Status List of those services from QCSPs that are supervised/ accredited by a Member State's Supervisory Body that is in charge to establish, securely publish and maintain such a list in the context and requirements of the eSignature Directive (1999/93/EC).

“Trusted List”: term used to designate the Supervision/ Accreditation Status List of those services from QCSPs that are supervised/ accredited by a Member State's Supervisory Body that is in charge to establish, securely publish and maintain such a list in the context and requirements of the eSignature Directive (1999/93/EC).

Trusted ListsTrusted Lists

Trusted List aims to solve the validation problem of QES (Qualified Electronic Signatures) and AdES (Advanced Electronic Signatures) supported by QEC (Qualified Electronic Certificate) in a cross-border context:

supports the interoperability and facilitates the cross-border use of e-signatures

contains structured information needed for the validation of the electronic signature by the relying party

complements the information available in the certificate of the signer and related chain of certification supporting a QES or an AdES supported by a QEC

Trusted List aims to solve the validation problem of QES (Qualified Electronic Signatures) and AdES (Advanced Electronic Signatures) supported by QEC (Qualified Electronic Certificate) in a cross-border context:

supports the interoperability and facilitates the cross-border use of e-signatures

contains structured information needed for the validation of the electronic signature by the relying party

complements the information available in the certificate of the signer and related chain of certification supporting a QES or an AdES supported by a QEC

3. Interoperability of electronic signatures3. Interoperability of electronic signatures

Interoperability of electronic signaturesInteroperability of electronic signatures

A reference format for AdES is needed to facilitate the cross-border use of QES

Using XAdES (CAdES), signers may incorporate certain

properties into the XMLSig (CMS) signature structure before

computing the signature value and including them in its

computation.

Signers or other parties may request and incorporate a

time-stamp on the signature, which provides a trusted

upper boundary on the generation time.

Using XAdES (CAdES), verifiers or third parties may

incorporate properties encompassing the long-term lifecycle

of the signature, which after their generation includes first

verification, storage for several years, and auditing.

A reference format for AdES is needed to facilitate the cross-border use of QES

Using XAdES (CAdES), signers may incorporate certain

properties into the XMLSig (CMS) signature structure before

computing the signature value and including them in its

computation.

Signers or other parties may request and incorporate a

time-stamp on the signature, which provides a trusted

upper boundary on the generation time.

Using XAdES (CAdES), verifiers or third parties may

incorporate properties encompassing the long-term lifecycle

of the signature, which after their generation includes first

verification, storage for several years, and auditing.

Interoperability of electronic signaturesInteroperability of electronic signatures

ETSI organizes XAdES/CAdES interoperability

tests

certSIGN

the only Romanian company involved in the

ETSI interoperability tests

developed its own software for implementing

XAdES/CAdES signature formats

successfully passed the tests

ETSI organizes XAdES/CAdES interoperability

tests

certSIGN

the only Romanian company involved in the

ETSI interoperability tests

developed its own software for implementing

XAdES/CAdES signature formats

successfully passed the tests

4. Conclusions4. Conclusions

ConclusionsConclusions

Solving interoperability issues is the keystone element of implementing pan-European servicesGovernments, industry and independent organizations shall be involvedcertSIGN– reliable partner to implement interoperability projects based on:

Previous experience in implementing operational Bridging Certification Authorities (Romanian National Defense System)Own developed software modules tested in ETSI interoperability testsCompetencies in PKI and information security field

Solving interoperability issues is the keystone element of implementing pan-European servicesGovernments, industry and independent organizations shall be involvedcertSIGN– reliable partner to implement interoperability projects based on:

Previous experience in implementing operational Bridging Certification Authorities (Romanian National Defense System)Own developed software modules tested in ETSI interoperability testsCompetencies in PKI and information security field

ContactContact

Adrian Floarea

Business Development Director

certSIGN

Phone: 004-021-311.9901

Fax: 004-021-311.9905

Mobil: 004-0726.678.375

e-mail: adrian.floarea@certsign.ro

Adrian Floarea

Business Development Director

certSIGN

Phone: 004-021-311.9901

Fax: 004-021-311.9905

Mobil: 004-0726.678.375

e-mail: adrian.floarea@certsign.ro