Electronic identification and trust services

The gray area is an image container. In the diapositive mask select this gray box and choose ‘Fill’ under the ‘Format’ Tab. Choose Fill with image, select your picture and

delete this text box.

www.enisa.europa.eu

ENISA

E-Identification & trust services for electronic transactions Security

Prof. Manel MedinaAndreas Sfakianakis

www.enisa.europa.eu 2

Content

• eID and Trust service providers regulation in Europe

• Trust Services in the new EU Regulation• Preliminary results of ENISA’s survey on TSP

security and interoperability requirements• Standards implemented by the TSPs in EU


eID and Trust service providers regulation in Europe


Digital Identity


eIDAS: the EU approach


Regulation on eID and TS

• Building trust in the online environment is key to economic development

• No comprehensive EU cross-border and cross-sector framework for secure electronic transactions that encompasses electronic trust services

• Enhance existing legislation


Scope

• Mutual recognition and acceptance of electronic identification

• Electronic trust services:• Electronic signatures • Electronic seals• Website authentication• Electronic time stamp• Electronic delivery service• Electronic documents• Long time preservation


Mutual recognition and acceptance of electronic identification

• How does it work? 'notified' eID(s)

• EU Member States obligations: – ‘notify’ the ‘national’ electronic identification scheme(s)

used at home for access to its public services. – Must recognise ‘notified’ eIDs of other MSs – Free private & abroad, liability Unambiguous

• Common principles– Tech. neutral, – Mutual recognition of qualified, – Data protection & data minimisation– Secondary legislation to ensure flexibility: Tech, Best pr.


More on the Regulation on eID an TS

• What is not covered?– Not eID or EU eID

• Why will it make a difference?– One single legislation across EU: NO need of Nat. Reg.– Supervision– Trusted lists vs. notified ID– Easy eSignature: “Soft ID”?– Clear market needs in terms of trust services

• https://ripe66.ripe.net/presentations/291-eIDAS_May2013.ppt


ENISA’sSurvey on Trust Services in the EU


ENISA’s work on Trust Services in the EU

•Risk assessment, security requirements and incident management for trust service providers issuing electronic certificates. (ENISA Work Programme 2013)

•Explore security mechanisms used by EU TSPs and identify their interoperability issues. (ENISA Work Programme 2013)


ENISA’s survey on Trust Services in the EU

• Launched anonymous survey intended for TSPs

• Survey is still online!!https://www.enisa.europa.eu/trust-services-in-eu

• The final results of the survey will be presented at a workshop for trust service providershttps://www.enisa.europa.eu/activities/identity-and-trust/trust-services/eid-workshop

https://www.enisa.europa.eu/trust-services-in-eu

https://www.enisa.europa.eu/activities/identity-and-trust/trust-services/eid-workshop






General Security Audit (I)Kind of Audits


General Security Audit (II)Periodicity

<=12 months > 12 months0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

Periodicity of audits

15% indicated less than 12 months


General Security Audit (III)Applied Standards

0%

20%

40%

60%

80%

100%

Which general security management standards do you follow?

ETSI TS 102042ETSI TS 101456WebTrustetc.


General Security Audit (&IV) Audit Supporting documents

Certifi

catio

n Pr

actic

e St

atem

ent

Info

rmat

ion

Secu

rity Po

licy

Job

desc

riptio

ns fo

r Tru

sted

Roles

Inve

ntor

y of

Ass

ets

Busines

s Risk

Ass

essm

ent

Bussin

ess C

ontin

uity

Plan

Incid

ent R

espo

nse

Plan

CA Ter

minat

ion

Plan

0%10%20%30%40%50%60%70%80%90%

100%

94% of participants issue certificates

94% of the TSPs (or intend to) provide e-certificates, 78% other trust services and 22% only electronic certificates.


Other TSs Provided (mostly by CSPs)

0%

20%

40%

60%

80%

100%

What kind of services do the TSPs provide?


Supported standards (I): e-signature


Supported standards (II): Time Stamping

RFC 3161 Time Stamp Pro-tocol

DSS XML TimeStamping Profile0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

What TimeStamping format standards are supported?


Supported standards (III): Certificate Validation

OCSP CRL SCVP0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

What certificate validation standards are supported?


Supported standards (&IV): Long Time Preservation

0%

20%

40%

60%

80%

100%

What standards are used to provide long-time preservation of e-Signatures?


Risk / Impact perception (I):Time Stamping

40 50 60 70 80 90 1000

10

20

30

40

50

60

70

80

90

100

Security Risks for TimeStamping Services

Compromise of the TSA’s signature creation data (private key)

Lose of evidence in chain of trust in the preservation of Tokens

Compromise of the main time source

Lose of accuracy of the main time source

Unavailability of the main time source

Probability

Impact


Risk / Impact perception (II):Electronic Documents


Risk / Impact perception (III):Electronic Delivery


Risk / Impact perception (IV):Certificate Validation

65 70 75 80 85 90 95 1000

10

20

30

40

50

60

70

80

90

100

Security Risks for Validation Services

Unavailability of the service

Web site / web service imperson-ation

Probability

Impact


Risk / Impact perception (&V):Long Time Preservation


For further information and feedback• [email protected] • [email protected]

• https://www.enisa.europa.eu/activities/identity-and-trust/trust-services/trust-services-in-eu

• https://www.enisa.europa.eu/activities/identity-and-trust/trust-services/eid-workshop

https://www.enisa.europa.eu/activities/identity-and-trust/trust-services/trust-services-in-eu







Technology

Electronic identification and trust services