Embed Size (px)
Citation preview
eIDASEuropean Regulation for eID and Trust Services for Electronic Transactions
2 Security, convenience & mobility
Overview of eIDASeIDAS Electronic Trust Services and types of digital signatureBecoming an Qualified Trust Service ProviderMeeting eIDAS use cases with Gemalto solutions
Topics Covered
3
What is eIDAS
Complying with eIDASS
4
What is eIDAS?
Source: The Authentication and Identity Management Index
The Regulation of Electronic Identification and Trust Services for Electronic Transactions in the Internal market (eIDAS) is a European regulation aimed at creating a framework for cross-border electronic identification and transactions across EU member countries
Complying with eIDASS
5
What are the goals of eIDAS?
Open up access to public services & ensure secure online transactions
across borders of EU member countries
Improve security and convenience when doing business online
Encourage digital transaction growth and dematerialization
Enable cross-border trust
Complying with eIDASS
6
Primary Regulations of eIDAS?
EU Member States are required to mutually recognize each other’s electronic identification (eID) systems when accessing online services
Electronic Trust Services (eTS), including electronic signatures, electronic seals, time stamps, electronic registered delivery service and website authentication, will work across borders and will have the same legal status as paper-based processes
Interoperability of Government
Issued ID
Single Digital Market
Complying with eIDASS
7
eIDAS Timeline2014 2015 2016 2017 2018 2019
September 2014 - Entry into force of the Regulation
September 2015 - Voluntary recognition of eIDs*
1st July 2016 - eIDAS Regulation replaces eSignature Directive **
September 2018 - Mandatory cross border recognition of eIDs
**•Certificates issued to natural persons under the eSignature Directive remain valid until expiry and
•Certification Service Providers are allowed a 1 year time frame to submit a conformity assessment report and as consequence are considered as qualified Trust Service Providers under the new eIDAS regulation.
*Adoption of 6 implementing acts on:•MS cooperation • Interoperability framework•eID levels of assurance•Formats of advanced electronic signature & seals•Technical specifications of the national trusted lists•EU Trust mark
Complying with eIDASS
8
Electronic Trust Services
Complying with eIDASS
9
Electronic Trusted Services (eTS) Benefits
Improved customerexperience
Increase trust andconfidence
Efficiency—faster processes
New business opportunities with cross-border reach
Efficiency—paperless anderror reduction
Facilitate regulatory compliance
Complying with eIDASS
10
Types of Electronic Trusted Services (eTS)
1 2 3 4 5
Issued to and used by legal persons to ensure origin and integrity of data /docs. NOT an eSignature of the legal person
The date and time on an electronic document which proves that the document existed at a point-in-time and that it has not changed since then
Storage and transfer of documents online. eIDAS sets the principle of non-discrimination of the legal effects and admissibility of electronic documents in legal proceedings
The process of determining a person/entity's identity by using electronic means
Infrastructure for the transfer of documents (or data) between two entities or systems electronically
6Electronic
SealsTime
Stamps
The electronic equivalent of a handwritten signature
ElectronicDocuments eID Electronic
DeliveryElectronicSignature
7
Trusted information on a website (e.g. a certificate) which allows users to verify the authenticity of the website and its link to the entity or person behind the website.industry.
WebsiteAuthentication
Complying with eIDASS
ElectronicSignature
6
Types of Electronic Signature Defined by eIDAS
11
Standard Electronic Signatures
Advanced Electronic Signatures (AdES)—
Qualified Electronic Signatures
(QES)—
• Basic signatures in electronic form
• eSignatures are recognized legally and can’t be denied legal acceptance, just because they are digital.
• Require a higher level of security, typically met with certificate-based digital IDs, including,
• unique identifying info that links to the signatory
• signatory has sole control of data used to create signature
• capable of identifying if data as been tampered
• Based on qualified certificates that can only be issued by CA accredited and supervised by EU designated authorities
• Qualified certificates must also be stored on a qualified signature creation device (QSCD), such as a USB token, smart card or HSM
• In order to provide qualified eSignature services, a trust service provider must be granted qualified status
Complying with eIDASS
Security, convenience & mobility12
eIDAS Electronic Signature Use Cases
Local Signing Use CasesThe user’s keys are held on a Qualified Signature Creation Devices (QSCDs) in the form of a eIDAS compliant smartcard or USB token. The user signs locally with the smart card or USB token.
eIDAS specifies that the smart card or USB token used as the QSCD in local signing use cases has to be Common Criteria certified.
Remote Use CasesThe user’s keys are held securely inside a Hardware Security Module (HSM) attached to a signing server. The signer's key is held securely on a trusted server and generated remotely.
The eIDAS regulation does NOT specify any standards relating to the HSM used in remote server signing.
13
Qualified Trusted Service Provider
Complying with eIDASS
14
Qualified trust service providers render services which ensure a higher level of security. They comply with specific requirements as laid down in the Regulation and are submitted to an enhanced supervision mechanism.
Complying with eIDASS
Qualified Trust Service Provider
What is a Qualified trust service provider?
“
”
15
Only qualified trust service providers are part of the EU’s Trust List, which
contains the providers and services that are given qualified status. If an entity is not on that list, they are not permitted to
provide qualified trust services
Because of stringent process to become a qualified trust service provider, the trust services they provide have a higher legal certainty and higher
security of electronic transactions than non-qualified trust services
Only qualified trust service providers may use the powerful Trust Mark to advertise or market their services
Only qualified trust service providers have a standard level of
security in Europe and comply with the requirements defined in
the eIDAS Regulation
Complying with eIDASS
Benefits of Becoming a Qualified Trusted Service Provider
16
How to Become a Qualified Trust Service Provider (TSP)
Business needs to get an assessment report issued by an accredited conformity assessment body. This assessment will verify the business and the services it provides meet the requirements to be qualified.
Trust Service Provider sends the report with letter of intent to the national supervisory body in the member state where the business is located. Supervisory body has three weeks to determine if the report proves compliance.
If qualified status is granted, the Trust Service Provider, together with the qualified trust services it provides are added to the Trusted List. These Lists are established, published and maintained by the Member States.
1). Assessment
2). Approval
3). Trust List
4). Trust Mark After the Trust Service Provider is deemed Qualified, the Trust Mark is provided and clearly differentiates them from other trust services.
Complying with eIDASS
17
Electronic Trust Services Use Cases
eHealth eTax Filing eBankingeProcurement ContractseEducation
Complying with eIDASS
The eIDAS single digital market will create an abundance of opportunities for qualified Trust Service Providers who can attract customers looking for the highest security channel available to conduct their business
• eEducation: eIDAS simplifies access to public administrations, allowing students to complete foreign college applications without submitting in person. Student uses eID to authenticate, uses a digital signature to securely sign the application and the record is preserved digitally
• eProcurement: With eIDAS, a cross border call for tenders is easier, allowing businesses to easily and securely respond to the request with a digital submission that includes electronic registered delivery, a time stamp to prove it was submitted on time, and eSignature to formalize
• eTax: A citizen who moves from one EU country to another, can easily file the previous years’ taxes without traveling. eID is used to authenticate and digital signature securely files the taxes
18
Gemalto Solutions for eIDAS Compliance
Complying with eIDASS
19
Gemalto Solutions for eIDAS Electronic Signature Use Cases
Local Use CasesThe eIDAS regulation requires CC certified smart cards for local or client-side digital signing use cases. Gemalto meets the requirements of the local signing use case with the IDPrime smart card family.
Remote Use Cases
The eIDAS regulation does NOT specify any standards relating to the HSM used in remote server signing, and it is up to individual countries to determine which certification is required.
As such, suitability of Gemalto HSMs for use in remote signing use cases will depend on a per-country decision based on local legislation. For example, Poland is proposing using our HSMs as an SSCD.
20
Gemalto Compliant PKI Smart Cards for Local Signing Use Cases
IDPrime MD 840 and 3840 are PKI-based smart cards that address a wide range of use cases requiring PKI security, including secure access, email encryption, secure data storage, and digital signature. Both cards are common criteria certified and have the following features:
• CC EAL5+ / PP Java Card certified for the java platform and CC EAL5+ / PP QSCD certified for the combination of Java platform plus PKI applet. The CC EAL5+ / PP QSCD certification is based on the Protection Profiles EN 419211 part 1 to 6, as mandated by eIDAS regulations
• Enhanced cryptographic support with both RSA and elliptic curves
The IDPrime MD 840• Contact smart card
IDPrime MD 3840• Contactless smart card
Complying with eIDASS
Security, convenience & mobility21
Common Criteria
eIDAS and CCCC certification is a pre-requisite for qualified digital signatures under the eIDAS regulation
What is Common Criteria (CC)?An international set of guidelines and specifications for evaluating information security products, specifically to ensure they meet an agreed-upon security standard for government deployments
Key components of CCProtection Profiles and Evaluation Assurance
Gemalto productsIDPrime MD 840 and the IDPrime 3840 are both CC EAL5+ / PP Java Card certified for the Java platform and CC EAL5+ / PP QSCD certified for the combination of Java platform plus PKI applet. The CC EAL5+ / PP QSCD certification is based on the Protection Profiles EN 419211 part 1 to 6, as mandated by eIDAS regulations
22
Thank You!
Complying with eIDASS
