Updates on ETSI ESI Standardisation for Trust Services

ETSI and CEN standards are evolving to support eIDAS with a focus on publicly trusted certificates and trust service components. Recent changes highlight advancements in identity proofing, signature validation, cryptographic suites, and more. Key drafts and policies provide insights into technologies, regulatory requirements, and service providers in the trust services domain.

• ETSI
• Standardisation
• Trust Services
• eIDAS
• Identity Proofing

faithanns Follow

Uploaded on Oct 02, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

Presentation Transcript

1. Update on ETSI ESI standardisation related to Publicly Trusted Certificates Arno Fiedler / Nick Pope ETSI ESI Vice Chairs Changes since last report highlighted 27. October 2021

2. ETSI & CEN Standards supporting eIDAS the overall picture 119 6xx Trusted list Using & interpreting trusted list (new) Trust service status lists Validation policy using trusted list (new) Trust services for: Issuing certificates Time Stamping Signature creation services Signature validation services Identity proofing (new) Open Banking x19 4xx x19 5xx * TSPs supporting digital signatures Trust application service providers Trust services for: Registered eDelivery / eMail Long term preservation * * * * x19 1xx Formats: XAdES (XML) CAdES (CMS) PAdES (PDF) ASiC (containers) JAdES (new) ** AdES creation & validation Part 1: procedures Part 2: signature validation report Part 3: extended signature validation (new) Signature Creation & Validation * * Signature suites - Hash - Asymmetric crypto - Key generation - Lifetime Schema for algorithm catalogues (new) 419 2xx 119 3xx CC Protection Profiles QSCD - Smart Cards HSM used as QSCD HSM used by TSPs Remote QSCD Signing Devices Cryptographic suites 119 0xx * Standards framework Common definitions Guides Completed Update in progress New General Framework * (new) 2

3. Identity Proofing TR 119 460: Survey of technologies and regulatory requirements for identity proofing for trust service subjects. https://www.etsi.org/standards-search#search=TR119460 Draft TS 119 461: Policy and security requirements for trust service components providing identity proofing of trust service subjects Applicable to natural and legal persons (i.e. physical people and organisations) local and remote registration range of EU trust services: certificate authorities, registered email . also potentially: electronic IDs, know your customer Public review completed: 22 organisations responded Published : July 2021: https://www.etsi.org/standards-search#search=TS119461 3

4. EN 319 401 / 411-1 / 411-2 Policy Requirements updates Multiple detailed changes to clarify requirements including: Trust service components (subcontracted components e.g. RA, server signing .) Alignment with Short term certificates, Opening RFC 5280 size limits (64 Character) in EN 319 412-x Re-wording existing requirements, clarifying terminology Alignment of 411-1 requirements with 411-2, some general requirements moved from 411-2 to 411-1 Use of EU Trusted List by relying parties for qualified certificates EN 319 401: 14 Changes, EN 319 411-1: 25 Changes, EN 319 411-2: 4 Changes ENs Approved: https://www.etsi.org/standards-search#search=EN319401 https://www.etsi.org/standards-search#search=EN319411-1 https://www.etsi.org/standards-search#search=EN319411-2 4

5. Alternative option for alignment with CAB Forum Baseline Alternative policy for qualified website authentication certificates in EN 319 411-2 : EN 319 411-1 PTC requirements based on CAB Forum Baseline + EN 319 411-1 NCP general requirements including requirements for validation of identity + EN 319 411-2 requirements for qualified certificates Alternative certificate profile for website certificates in EN 319 412-4: Certificate profile requirements specified in the CAB Forum Baseline section 7.1 + Certificate profile requirements specified in: EN 319 412-2: for natural persons EN 319 412-3: for legal persons Existing EV based policy and profile still supported 5

6. Further updates EN 319 401/ 411-1 / 412-x / 421 - Clarification on Identifiers for natural persons - Identifier for governmental organisations (CABF suggestions welcome) - EN 411-1 alignment with TS 119 461 and other detailed changes - Alignment with new version of ISO 27002 (Information Security Controls) - Detailed clarifications on Time-stamping policy requirements 6 ADD SECTION NAME

7. EN 319 403-1 (previously EN 319 403) Audit Main new features EN 319 403 -1 (2020-06): Audit of component services Clarification regarding handling of TSP requiring corrective actions Audit report issued identifying corrective actions required. Minor non-conformities to be corrected in 3 to 6 months New Annex on determining audit time (specifics removed) Other minor changes 7

8. Supplements to EN 319 403 TSP Audit Requirements TS 119 403-2 2 V1.2.4 (2020-11): Part 2: Additional requirements for Conformity Assessment Bodies auditing Trust Service Providers that issue Publicly-Trusted Certificates (as in CA/Browser Forum) Minor updates agreed as presented in Autumn Last year. TS 119 403-3 3 (2019-03): Electronic Signatures and Infrastructures (ESI); Trust Service Provider Conformity Assessment; Part 3: Additional requirements for conformity assessment bodies assessing EU qualified trust service providers 8

9. International alignment of ETSI standards ETSI standards adopt standards that have been internationally supported wherever possible, this includes alignment of ETSI standards for website authentication certificates with CAB Forum guidelines 2019 Study into PKI based trust services around the world and how to best achieve mutual recognition: TR 103 684 Establish collaboration with: Safe Identity, Asia PKI, Japan Network Security Association, Arab ICT Organisation Contributed to ISO DIS 27099 on PKI Practices and policy framework Monitoring UNCITRAL Draft Provisions on the Use and Cross-border Recognition of Identity Management and Trust Services finalized in November 2021? 9

10. eIDAS 2 Framework European Digital Identity European Digital Identity Wallet: Electronic signatures National eID Attributes Other credentials 10 ADD SECTION NAME

11. ETSI Possible Standards for eIDAS 2.0 - 40 requirements which can be met by existing ETSI standards - 10 ETSI standards which require updating to align with new regulation - Started work on 3 high priority standards: - Profiles for Attribute Attestation - Policy and security requirements for Attribute Attestation Services - EU Digital ID Wallet interfaces for trust services and signing See: Draft SR 091 003: https://docbox.etsi.org/esi/Open/Latest_Drafts/ ESI-0019003v002%20Public%20review%20draft_SR_019_003_Possible_Standards_for_eIDAS_2_0.pdf 11 ADD SECTION NAME

12. Further information Information on available standards and current activities: https://portal.etsi.org/TBSiteMap/ESI/ESIActivities.aspx ETSI standards: available for free download http://www.etsi.org/standards-search CEN standards: available through National Standards Organisations Updates on standardisation: https://list.etsi.org/scripts/wa.exe?SUBED1=e-signatures_news&A=1 arno.fiedler@nimbus.berlin nick.pope@secstanassoc.com 12