Greek Presidency of the European Union

Transcription

1 Greek Presidency of the European Union! Introduction PKI Services in the Public Sector of the EU Member States Page 0-1 of 0-10

2 Research Team Dr. Stefanos Gritzalis, Asst. Prof. of I&C Systems Security Dept. of Information and Communication Systems Engineering, University of the Aegean, Greece Scientific Director Dr. Sokratis Katsikas, Prof. of Informatics Dept. of Information and Communication Systems Engineering, University of the Aegean, Greece Technical Director Dr. Dimitris Gritzalis, Asst. Prof. of I&CT Security Dept. of Informatics, Athens University of Economics and Business Quality Manager Dr. Lilian Mitrou, Asst. Prof. of Law Dept. of Information and Communication Systems Engineering, University of the Aegean, Greece Senior Researcher Dr. Mihalis Avgoustianakis, Asst. Prof. Of Law Dept. of Law, University of Athens, Greece Senior Researcher Dr. Yannis Stamatiu, Asst. Prof. of Cryptography Dept. of Mathematics, University of the Aegean, Greece Senior Researcher Dr. Dimitris Lekkas, Adjunct Lecturer of Informatics Dept. of Products and Systems Design Engineering, University of the Aegean, Greece Senior Researcher Mr. Yannis Marias Dept. of Informatics and Telecommunications University of Athens, Greece Researcher PKI Services in the Public Sector of the EU Member States Page 0-2 of 0-10

3 Acknowledgements We would like to express our sincere appreciation to the Greek Presidency of the European Union for giving us the opportunity to carry out this project, which we trust will contribute to the development of a secure and reliable egovernment applications framework, throughout the Member States. We are grateful to Prof. P. Georgiadis, Secretary General of the Greek Ministry of Interior, Public Administration, and Decentralization for his confidence and continuous support. We would, also, like to thank Mr. E. Panagiotopoulos, CEO of Information Society S.A. for his keen and kind support. Many thanks to the members of the Working Group on e-government of the EU Member States for their contribution to our work, and in particular to Mr. N. Saridakis and the members of the Greek delegation on egovernment for their support during our work. We trust that the academic institutions and the research community in Greece will keep on contributing towards the development of secure technologies and solutions for the benefit of the citizens, the public and the private sector. Athens, April 2003 Asst. Prof. Stefanos Gritzalis Scientific Director of the Study PKI Services in the Public Sector of the EU Member States Page 0-3 of 0-10

4 Executive Summary The underlying strategic framework of eeurope-2005 is based on two groups of actions: " The first group is the provision of services, applications and content. " The second is the assurance of broadband and secure communications. Among the key actions to support security in the Public Sector of the EU Member States is the secure communication between public services and the establishment of trust between the public services, as well as between the government and the citizen. An important aspect towards this direction is the deployment of a Public Key Infrastructure (PKI). The public sector of the EU Member States should be aware of the capabilities and timely act and ensure the wide use of PKI services, such as electronic signatures and digital certificates, towards the provision of secure e- government services to citizens and the improvement of secure and interoperable electronic communications between public services. The general objective of this study is to identify the particular requirements of the Public Sector for the exploitation and the deployment of the Public Key Infrastructure services. In specific, the following objectives are to be met: " To review the use of electronic signatures for e-government services. " To identify the technologies and standards employed for the exploitation of certification services. " To discuss digital certificates management in the public sector. " To discuss legal issues referring to the use of e-signatures. " To provide a set of good-practices on the use of certification services in the public sector. The methodology followed towards the achievement of the abovementioned objectives is based on three key actions: " Review of current situation, in respect to the state-of-practice, the legal or regulatory issues and the international standardization work on e-signatures use. " Survey of the situation and the relevant experiences in EU and non-eu countries. " Preparation of a set of good practices for the exploitation and the deployment of PKI services in the public sector of the EU Member States. In the course of the review of the state-of-practice on Certification Services, the issue of Qualified Digital Certificates is discussed in detail. A qualified certificate is distinguished due to its special characteristics, such as the obligatory unique identification of the issuer and the subject, the explicit reference of its intended purpose, the embodiment of signature-verification-data corresponding to the subject, its predefined period of validity, the electronic signature of the issuing Certification Services Provider (CSP) and the embodiment of usage limitations and case-relevant extensions. A CSP issuing qualified certificates is required to demonstrate the appropriate reliability, provide appropriate directory and revocation services, effectively verify the physical entity s identity, employ properly qualified personnel, use trustworthy and physically secure systems, strongly protect its own signature creation data, keep records relevant to qualified certificates, publish policies, practices, terms, and conditions and maintain sufficient financial resources for its operation. Some additional requirements for the Public Sector are identified, such as the performance of risk analysis and assessment, the certification according to ISO 9000 standards, the PKI Services in the Public Sector of the EU Member States Page 0-4 of 0-10

5 protection of personal data, the insurance coverage and the long-term repositories for storing signature verification data. In respect of the Legal and Regulatory Issues concerning the CSP, the survey showed that all EU- Member States have implemented the EU Directive on electronic signatures, possibly incorporating preexisting regulation and setting it within a broader framework, such as legislation on Electronic Commerce. Secondary Regulations and/or Ordinances exist in several Member States, mostly introducing provisions on supervision as well as accreditation bodies and procedures. In general there are no distinctions or differentiations concerning the legal recognition and evidentiary value of advanced electronic signatures in public sector transactions. The review of the Standardization work in the field of PKI focuses on the European initiatives and bodies, such as the European Telecommunication Standards Institute (ETSI) which provides Europe's contribution to the world-wide standardization, the Information Society Standardization System (CEN/ISSS) and the European Electronic Signature Standardisation Initiative (ICTB/ EESSI). Many technical standards in the area exist also in the international arena. ISO and ITU provide worldwide de jure standards, IETF provides important widely accepted de facto Internet standards, W3C presents many recommendations for structuring web documents and RSA proposes specific Public Key Cryptography Standards. The existing and emerging standards, which are relevant to certification services, are categorized and presented in six major fields: Cryptography, Secure hardware, Digital certificates, Certification services including digital signatures, Key management, authorization, time-stamping and notary, General support such as ICT Security, Directory access, Database management, Repositories and Interoperability and Management including IS management, Quality control, Policy composition and Audit. The deployment of PKI in non-eu countries provides valuable input for the completeness of the survey. The current situation in Canada, USA, Australia, Japan and other countries is examined and some major findings are collected. In Canada, a Policy Management Authority exists that regulates the operation of the CSP, while external non-governmental subscribers are allowed. The Canadian key management procedures have several similarities to the ones proposed by the EU Directive. In USA a Federal PKI is already fully functional and the current development of the Federal Bridge CA assures interoperability between CSP. An important issue is the provision of various assurance levels for certificates. In Australia, a Government Public Key Authority plays the role of accreditation body. The practice of various grades of certificates for individuals and non-individuals is also followed here. In Japan, the GPKI, running on the top of Kasumigasaki governmental WAN, illustrates the structure of PKI, including a Bridge CA, the Ministries CA, and Private Sector s CA. The Survey in EU Member States is performed by means of a questionnaire, which was circulated to the Member States via CIRCA. All recipients responded and the results are included explicitly in the present deliverable, while the important issues are further processed and incorporated in the good practices proposed. The questions addressed to the Member States focus on the existing e-services, the legal status of certificates, the current way of certificates exploitation in the public sector, the requirements from CSP and the use of certificates for G2G and G2C transactions. Some indicative results deriving from the questionnaire responses are: In 14 Member States there is at least 1 CSP offering qualified certificates. In 13 Member States there is one authority responsible for the accreditation of CSP. In 9 Member States the accreditation and the supervision of CSP are performed by the same entity/authority. In 7 Member States certificates have been employed in G2G transactions and 6 have relative plans. In all Member States the Public Sector obtains services from multiple CSP. 10 Member States require Risk Analysis and Assessment of CSP Information Systems and 4 require additionally ISO 9000 certification. In 6 Member States PKI Services in the Public Sector of the EU Member States Page 0-5 of 0-10

6 there exists (or is planned) a central repository, which provides each and every civil servant with a certificate. In 10 Member States smart cards are used to keep signature-creation-data. In order to facilitate the extraction of conclusions from the survey and restrict the examined area, some working assumptions are made during the composition and the process of the questionnaires. It is assumed that G2G and G2C transactions are under investigation, while C2G transactions are excluded (G stands for Government and C for Citizen). The focus is set on specific security requirements, being authentication, non-repudiation, and integrity, however the proposed good practices are subject to additional requirements imposed by specific public sectors, such as military, public transportation and finance. It was also identified that all Member States already comply with EU Directive 99/93. The good practices proposed follow the outline of the Articles 3, 5, 6 and 8 of the EU Directive 99/93, since they address the technical and operational issues for the CSP. A summary is included hereinafter: Regarding the CSP operation and specifically the operator of the CSP, the government is generally considered as the owner of its Public Key Infrastructure. The operator may be either a governmental authority, or the operation may be outsourced to the private sector. The handling of the case when a CSP ceases operation differs in Member States, however this does not apply to purely governmental-operated CSP, since they never cease. In such a case, subject to prior interoperability established, the management of certificates will be transferred to another CSP or all issued certificates are revoked. The voluntary accreditation of CSP is generally desired for qualified certificates issuance, whereas some Member States demand compulsory accreditation. Accreditation is not a requirement for the issuance of unqualified certificates. The supervision of the operation of CSP is another aspect and it is desired that the roles of supervision and accreditation are diversified. The establishment of national supervisory bodies is already done in most Member States and the supervision, in most cases, is performed by Telecom Authorities. In respect of the requirements for digital certificates in the public sector, it is concluded that the certificates can be either identity-based, only, or role-based, however role-based certificates tend to have heavy administrative cost and therefore a personal identity certificate for every civil servant is preferable. Both qualified and unqualified are needed, each for specific user domain and the average certificate lifecycle should be between 1 and 3 years. Specifically for the public sector, it is required that the signature lifetime considerably exceeds the baseline period of 30 years. It is also suggested that different keys are used for different functions (e.g. signature, authentication and encryption). Since the key management procedures are directly related to the signature creation issues (and consequently the non-repudiation issue), it is required that key generation procedures must be performed under the full control of the enduser and that no key-recovery must be possible under any circumstances. Regarding the signature creation devices, the survey indicated a common agreement on the adoption of secure hardware tokens (e.g. smart cards). However, in order to fully exploit the secure capabilities offered by the hardware tokens, the complete conformance with international standards is recommended. The number of Certification Authorities operating for the public sector must not be limited. It is recommended that each country must ensure support for multiple CA and the desired scalability is achieved by means of web of trust architecture. The trust architecture should not be limited to specific schemes. In contrary, mixed schemes may exist, being a combination of per-sector local hierarchies, local RAs, Bridge CA and Cross-certified CA. PKI Services in the Public Sector of the EU Member States Page 0-6 of 0-10

7 Multiple Registration Authorities per region or user domain should exist. Civil servants should be given a security token by their home RA, according to a standard procedure. In the fortunate case where a central identity repository exists, then a national-wide RA is also preferable. Special provisions must be taken for the dissemination of critical information to the subscribers and the relying parties. The signature creation data (if not created by the subscriber herself) must be distributed by personal correspondence, while the signature verification data must be made publicly accessible through certificate repositories. Specific provisions are needed for the distribution of self-signed CA certificates, since their validity is not assured by a third party, but by the subject itself. The maintenance and dissemination of the Certification Trust Lists (CTL) should be performed on a per-sector basis. Another critical aspect is the prompt dissemination of Certificate Status Information (CSI) and the publishing of Certificate Policies and Certification Practice Statements. Many Member States addressed the need for the provision of value-added Certification Services, such as Time-stamping, Data confidentiality, Notary services, Audit services, Non-repudiation of receipt, and Long-lasting data repositories. Since the operational regulations for a CSP are depicted in its Certification Practice Statement (CPS), it is important that a CPS is complete and accurate. It is therefore recommended that a CPS must conform with IETF RFC-2527 and it should include, at least: CA and RA obligations, subscriber and relying party obligations, the addressing community, provided certificate classes, formats, and profiles, procedures description, CSP liabilities, value-added services description, interoperability issues and information dissemination procedures. Finally, according to Article 8 of the EU Directive 99/93, a CSP should comply with Data Protection Legislation. Special care must be taken for the dissemination of personal PKI information and for the lawful access to personal data available to CSP. As a good practice on that issue, it is recommended that data protection authorities should support public authorities to monitor the CSP privacy policies. The main result of our study is an appropriately balanced Good-Practice Guidance for the exploitation of Public Key Infrastructure by the Public Sector of the EU Member States. PKI Services in the Public Sector of the EU Member States Page 0-7 of 0-10

8 1. Introduction This report discusses legal and technical issues regarding PKI, with an eye towards deriving a good-practice guidance on how a secure and efficient infrastructure can be designed and built for supporting secure and efficient electronic communication within the public sector. The report is focused on: $ Recording the framework for the exploitation of e-signatures in the establishment of secure e-government services within each EU country. $ The identification of the technologies already employed, or planned to be employed, for the exploitation of electronic signatures in the public sector. $ The investigation of the legal issues involved in the use of e-signatures. $ The investigation of certificate management practices and procedures in the public sector. $ The identification and description of good practices, which take into account the current situation in EU countries and address good practices regarding the issues above. PKI Services in the Public Sector of the EU Member States Page 0-8 of 0-10

9 2. Scope and methodology Working hypotheses I. The results of this report are focused on the following types of public sector services: $ Government-to-government (G2G services). Examples of such services include authenticated communication of civil servants through e- mail, signing official documents sent from a civil servant in one ministry to a civil servant to another ministry, protecting the contents of such documents from alterations, etc. $ Government-to-citizen (G2C services). Examples of such services include correspondence between public administration and citizens, regarding issues such as VAT registration, etc. This report and the good practice suggestions it refers to are concerned with the design, implementation and operation of a PKI in all government sectors except Ministry of Defence, Ministry of Justice, Ministry of Public Order (or Interior), and Ministry of Foreign Affairs. As far as the addressed security requirements and electronic signatures capabilities are concerned, the report is limited in scope to the following: $ Authentication, i.e. the ability to present a unanimously acceptable piece of evidence of one s identity. $ Non-repudiation, i.e. impossibility of one denying having sent a message or having signed a document. $ Integrity, i.e. safeguarding the accuracy and completeness of information and processing methods. These security requirements are the most relevant for the support of electronic signatures in the daily G2G and G2C transactions. PKI Services in the Public Sector of the EU Member States Page 0-9 of 0-10

10 Followed methodology II. The steps of the adopted methodology are the following: $ A review on the current status-of-practice in each Member State, with regard to the development of PKI in the public sector. $ A review of standards, related to PKI, which have been proposed by international standardization bodies. $ A review of the legal and regulatory issues regarding the introduction and deployment of PKI, as they emerge in compliance with the EU Directive 99/93. $ Review of relevant case studies. $ Perform of a review on current state-of-practice on these issues. Regarding the last point above, a questionnaire was prepared and distributed, via CIRCA, to the 15 EU countries. This questionnaire is composed of 27 questions divided into the following categories: $ Identification of existing e-services in each country. $ Legal status of certificates within the country s legal framework. $ Extend of use of certificates in the public sector (targeted to G2G and G2C e-government services). $ Requirements expected by Certification Service Providers. $ Use of certificates for G2G and G2C transactions, i.e. what types of services exist that require signatures and how users signatures are created and stored. A first observation derived from the answers to the questionnaires was that all EU countries either already provide or have under deployment a number of basic public information services, as well as services requiring authentication of civil servants or even the citizens. The two services, which are common to most countries, are on-line VAT declaration and income tax return and payment. Other services include applications for various licenses and certificates, submission of data to statistical offices, registration of new companies, job search services, applications for health services, etc. PKI Services in the Public Sector of the EU Member States Page 0-10 of 0-10