EUID Wallets Certification

Stay up to date with the latest EU legislation and updates on EUID wallets certification. Discover the proposed EUDI Wallet Framework and the Architecture and Reference Framework for European Digital Identity Wallets.

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

• EUID Wallets
• certification
• EU legislation
• cybersecurity
• EIDAS regulation
• EUDI Wallet Framework

quadir Follow

Uploaded on Dec 21, 2023 | 3 Views

Presentation Transcript

1. EUID WALLETS CERTIFICATION S awomir G rniak Senior Security Expert Market, Certification and Standardisation Unit 26 04 2023

2. EU LEGISLATION CYBERSECURITY LANDSCAPE EUID Wallets certification 2

3. EIDAS REGULATION V2 UPDATES A European Digital Identity Wallet Framework The Recommendation for an EU Toolbox for a coordinated approach towards a European Digital Identity Framework Certification of European Digital Identity Wallets (art. 6) and of electronic identification schemes (art. 12) under the CSA Harmonised approach to trust, security and interoperability through standards (multiple articles) Three new qualified trust services (provision of electronic archiving services, electronic ledgers and management of remote electronic signature and seal creation devices) Alignment of the Trust Service provisions with the rules applicable to NISDv2 (articles 17, 18, 20, 21 and 24). EUID Wallets certification 3

4. EUDI WALLET FRAMEWORK PROPOSAL EUDI Wallet electronic identification means at assurance level high under eIDAS Recommendation on Member States to work on: Toolbox including a technical Architecture and Reference Framework Set of common standards and technical specifications Set of common guidelines and best practices for the implementation of the EUDI framework Conformity of EUDI Wallets with technical and operational specifications and reference standards established by means of implementing acts, shall be certified Certification of the EUDI Wallets will ensure security, trust and robustness EU-wide certification scheme will bring harmonization and interoperability Certification should rely as much as possible on the available CSA schemes In practice starting with the EUCC Supplement the EUCC scheme with additional specifications, procedures and reference standards by means of adoption of eIDAS implementing acts Develop protection profiles leveraging on relevant parts of the EU5G and EUCS to support EUDI Wallets EUID Wallets certification 4

5. ARCHITECTURE AND REFERENCE FRAMEWORK The Common Union Toolbox for a Coordinated Approach Towards a European Digital Identity Framework The European Digital Identity Wallet Architecture and Reference Framework v1.1.0 April 2023 Goal: to provide specifications to develop an interoperable EUDI Wallet solution, based on common standards and practices Defines European Digital Identity Wallet Ecosystem Represents state-of-play of ongoing work of the eIDAS Expert Group In the future, will be aligned to the outcome of the legislative negotiations of the proposal for a European Digital Identity Framework EUID Wallets certification 5

6. ARF EUDI WALLET ECOSYSTEM EUID Wallets certification 6

7. EUDI WALLET FRAMEWORK REQUEST Request for technical support from ENISA to develop a cybersecurity certification scheme for the European Digital Identity Wallet Indicate which CSA schemes (EUCC, EU5G, EUCS) can be used for certification (Protection Profiles, security requirements, evaluation methodologies, etc.). Gap analysis and proposal of possible solutions if no scheme parts exist Analysis of the current state of play of European market Gap analysis for interoperability and functional testing requirements and evaluation methodology for non-cybersecurity relevant aspects of EUDI Wallets Collaborate with Member States, SDOs and the Commission to design functional and interoperability test suites for the EUDI Wallets certification EUID Wallets certification 7

8. EUDI WALLET FORMS AND SECURITY TECHNOLOGIES EUID Wallets certification 8

9. EUDI WALLET COMPONENTS Software Interfaces Primary hardware Secure element (secure cryptographic material storage) Secondary hardware Services Onboarding of a user Issuance of the EUDI Wallet Authentication of the user Display of the EU Digital Identity Wallet Trust Mark Request of person identification data (PID) Issuance of a PID Request for a (qualified) electronic attestation of attribute Request for a (qualified) electronic certificate Storage of PID and/or (Q)EAAs Deletion PID and/or (Q)EAAs Validation of a request from a relying party Presentation of PID or (Q)EAAs to a relying party Electronic identification (authentication) of an EUDI Wallet user Enabling the user to sign Enabling the user to seal EUID Wallets certification 9

10. DIGITAL IDENTITY STANDARDS ENISA study 2022 major gaps in standardisation of EUDI Wallet No standards for the cryptographic device interface (direct interface of the cryptographic component of the mobile device; Functional testing requirements missing for elements of the EUDI Wallet except: PID/(Q)EAA mutual authentication protocols, qualified electronic signatures No standards fulfilling the EUDI Wallet needs in 100% All of the existing ones designed for pure on-line or off-line use cases Draft ISO/IEC 23220 series (PID) designed to target the Digital Identity Wallet ETSI efforts Definition of the What and not the How Some use cases standardised EUID Wallets certification 10

11. OTHER CERTIFICATION SCHEMES UPDATE EUCC: a horizontal ICT products scheme Common Criteria, ISO/IEC 17065 & 17025 Defines the how to certify The what to certify is for risk owners to define through Protections Profiles EUCS: a generic cloud services scheme Defines a baseline of requirements that are applicable to all services. Enables the same methodology for all services Does not assess the security of product-specific security features (Security as a Service) Combining product security evaluation and product lifecycle processes evaluation As-is transposition of existing scheme elements - GSMA NESAS, SAS-SM Subscription Management, SAS- UP (UICC Production) and eUICC Development of the candidate scheme EUID Wallets certification 11

12. POTENTIAL CERTIFICATION PROCESS Transition Scheme use of the EUCC scheme for the cybersecurity certification of the ICT products parts or components of the EUDIW use of extended version of the EUCC supplemented by additional specifications (e.g. EUDIW related protection profiles, state-of-the-art like documents) to cover the ICT services and ICT processes dimensions of the wallet for cybersecurity requirements not covered by the EUCC or the supplemented EUCC version, and for the non- cybersecurity requirements, the use of the ISO/IEC 17065 Dedicated CSA scheme for the EUDI Wallet to be formally launched once the full technical specifications of the wallet will be for non-cybersecurity requirements, the use of the ISO/IEC 17065 framework EUID Wallets certification 12

13. THANK YOU FOR YOUR ATTENTION S awomir G rniak Senior Cybersecurity Expert Market, Certification and Standardisation Unit European Union Agency for Cybersecurity +30 697 00 151 63 slawomir.gorniak@enisa.europa.eu www.enisa.europa.eu