eidas Regulation: validation

Transcription

1 eidas Regulation: validation Reg. (EU) No 910/2014, on electronic identification and trust services for electronic transactions in the internal market Sylvie Lacroix, managing partner esignature and eseal validation workshop ETSI, 10th January 2018

2 Context Since the entry into force of eidas (Regulation (EU) No 910/2014), there is a clear legal framework associated with the validation of esignature and eseal. The promotion of trusted validation services in particular, is seen as a key enabler for esignature/eseal in general as it provides a trusted, independent and neutral point of validation between the stakeholders of a signed transaction.

3 QTSPs/QTSs and their legal benefits (closed list - sub-set of TS) Provision of QC for esignatures Provision of QC for eseals QESeal QESig Ξ Data integrity & Proof of data origin Provision of QC for website auth Qualified validation of QESig Qualified validation of QESeal Qualified preservation of QESig Qualified preservation of QESeal Provision of qualified time stamps Qualified electronic registered delivery services Trustworthy results for validation of QESig/QESeal Trustworthy assurance of long term evidentiary value of QESig/QESeal presumption of the accuracy of the date & time and integrity of the time stamped data presumption of integrity of the registered data, the sending of that data by the identified sender, its receipt by the identified addressee and the accuracy of date &time of sending and receipt

4 Facts No big-bang after the 01/07/2016: First wave (from 08/14 to 07/17) : migration from esignature Directive toward eidas Existing TSPs (issuing certs) needed eidas audit to stay in TSL CABs needed to be eidas accredited and have their certification scheme, first for certificate issuance, then for new services NAB needed to have the accreditation scheme Supervisory Body needed to have the supervision scheme Second wave : market evolution - TSP and market interested in: remote esignatures short-term certificates (or validity assured certificates) eseals. and of course validation and preservation of esignatures/eseals

5 eidas validation concepts Non discrimination Higher requirements Genreric requirements Trust services Technological neutrality A few legal constraints (art 19) Qualified trust services References standards Legally less predictable Legally predictable; equivalence and presumptions Higher legal requirements (arts 20, 21, (23) & 24): - supervision, independence, etc - implementing acts Validation specific requirements 1. Validation of esignature or eseal: no other requirement than «confirming» that the eseal or esignature is «valid» Simple ES or AES (arts 26, 36) 2. Validation of Qualified esignature or eseal: «Legal» requirements (arts 32, 40) (optional) I.A. to refer to standards for presumption of conformity to arts 32, or 2. as a trust service 3. Qualified Validation of Qualified esignature or eseal is always a qualified trust service (optional) I.A. to refer to standards for presumption of conformity to art (e) and (f) Legal requirements (arts 33, 40) (optional) I.A. to refer to standards for presumption of conformity to arts 33, 40

6 Requirements for QTSP (Art. 24) (Art.24.1) QTSP issuing QCs (Art.24.2) a) Inform SB of any change in QTS provisioning and of intention to cease; b) Requirements on staff; c) Sufficient financial resources and/or liability insurance, in accordance with national law; d) Consumer information on terms and conditions, incl. limitations on use; e) use trustworthy systems and products; f) use trustworthy systems to store (personal) data; g) take appropriate measures against forgery and theft of data; h) Record and keep accessible activities related data, issued and received, even after cessation; i) Up-to-date termination plan (agreed with SB) to ensure continuity of service j) ensure lawful processing of personal data in accordance with Directive 95/46/EC; Art.24.2(k), Art.24.3, and Art24.4: QTSP issuing QCs

7 Pyramid of trust Art. 23 Art. 22 Arts 20, 21 EU trust mark for QTS may only be used by QTSP close to QTS + link to national trusted list Constitutive list to state who is qualified TSP and for what qualified trust service Major incentive: machine processability (off-the-shelf applications recognise QES) eidas Observatory/Library informal compiled list of eidas accredited CABs Art. 24 Arts 32, 33, 40 Ex ante (pre-authorisation) & ex post supervision by supervisory body From initiation until termination No standard is mandatory for QTSP/QTS 7

8 Art Initiation of QTSP process flow Conduction of a conformity assessment by eidas accredited CAB: Against applicable eidas requirements NOT against any standard Notification (+ CAR) to Supervisory Body Standards are nevertheless important and helpful For CAB to establish eidas certification scheme to evaluate QTSP/QTS conformity For QTSP to: set up QTSP/QTS target interoperability target best practices If referred in I.A. NAB: National Accreditation Body CAB: Conformity Assessment Body QTSP/QTS: Qualified trust service provider and the qualified trust service it provides SB: Supervisory Body TLSO: Trusted List Scheme Operator eidas: Regulation (EU) 910/2014 8

9 Art Supervision of QTSP process flow Detection or notification of events 2-yearly assessment Monitoring/detection by SB Termination QTSP notified events (e.g. changes, breaches, audits) 3rd party notifications Etc. Need for additional evidences Verification of compliance Decision on status change Update of national TL 9

10 Art (j) - Termination of QTSP process flow Provision of termination plan (TP) already at initiation & subject to Art.24.2.(a) notification of changes Notification of cessation At discretion of SB Planned or unplanned Partial or global Updated TP Audit by SB CAR by eidas accredited CAB Request for more info Evaluation & supervision of execution Qualified status update (i.e. withdrawal) 10

11 From legal to technical An EU-wide accepted scheme for conformity assessment is needed for the new trusted services. Without standardization effort, this may lead to implementations with non-equivalent levels of service and/or security that will not be adequate to reach the objective of eidas, which is to support seamless cross-border experience for esignature and eseal of documents. To promote recognition of services within the EU, ETSI works on standardization of esignature/eseal validation, addressing policy and security requirements fitting within the EU scheme for supervision of (qualified) esignature/eseal validation services, as well as specifying the protocol, and the validation report. The work intends to provide standards that will ensure coexistence of various solutions (e.g. protocols bindings). The standards provided by ETSI aim at supporting not only eidas, but also other legal or regulatory frameworks. (link to main presentation)