eidas : one year after entry into force enisa studies on ......day: 29th june 2017 place: berlaymont...
TRANSCRIPT
European Union Agency for Network and Information Security
eIDAS : One year after entry into forceENISA Studies on Standards for TSPsDr. Nikolouzou EvgeniaETSI Security Week 2017 | Sophia Antipolis | June 13, 2017
2ENISA Studies on Standards for TSPs | E. Nikolouzou
ENISA and eIDAS in a nutshell
Trust Services
Studies
Qualified Website
Authentication Certificates
Mapping of requirements
to existing standards
Guidelines for Trust Service Providers
Security Framework
Guidelines for TSPs based on
standards
Auditing Framework
Relying Parties
Initiation
Supervision
Termination
Incident
Reporting
Article 19 Expert Group
CIRAS – T
Reporting Tool
Trust Services Forum
3
• Security framework for TSPs
• Risk assessment for TSPs
• Mitigating the impact of security incidents in TSPs
• Auditing framework for TSPs
• Guidelines for TSPs based on standards
• Security Framework for TSPs
• Auditing framework for TSPs
• Initiation/Supervision/Termination of Trust Service Provision
ENISA Studies on Standards for TSPs | E. Nikolouzou
Series of Guidelines on Trust Services (1/2)
20
13
–2
01
42
01
6 -
20
17
4
Recommendations for TSPs based on standards• Produce guidelines fulfilling
requirements from articles of eIDASRegulation with no mandatory implementing acts
• Analysis of Requirements deriving from each article
Security Framework• Risk Assessment
• Mitigate impact of security
incidents
Auditing Framework• Audit methodology and
recommendations regarding TSPs documentation and organization
ENISA Studies on Standards for TSPs | E. Nikolouzou
Series of Guidelines on Trust Services (2/2)
5
• Procedural aspects for the initiation of a qualified trust service
- Guidelines for Supervisory Bodies
- Guidelines for TSPs
• Procedural aspects for the supervision of a qualified trust service
- Determining appropriate supervisory activities
- Life-cycle management of qualified status
- Dealing with non-compliance and withdrawing the qualified status
- Reporting of supervisory activities
- Collaboration of European Supervisory Authorities
• Procedural aspects for the termination of a qualified trust service
- Procedures and formats for the termination and supervision of the termination of a qualified trust service
Guidelines on the initiation / supervision / termination of Trust Services
ENISA Studies on Standards for TSPs | E. Nikolouzou
6ENISA Studies on Standards for TSPs | E. Nikolouzou
Overview of the QTSP/QTS life cycle management
7
How to validate QWACs and indicate /visualize that a web site isusing a QWAC
ENISA Studies on Standards for TSPs | E. Nikolouzou
Supporting QWACs verification through browser plugins
Native messaging Online validation
Extension requirements
[R1] Validation of QWACs + +
[R2] Facilitate user recognition of QWACs + +
[R3] Easy installation +/- +
[R4] Universal applicability +/- +
Development considerations
Ease/cost of development + +
Requires cooperation of browser vendors +/- +
Access to browser SSL/TLS information - -
Expected maintenance + +/-
Sensitivity to cyber attacks + -
Pre
limin
ary
Fin
din
gs
8ENISA Studies on Standards for TSPs | E. Nikolouzou
Survey: Preliminary results for SBs & CABs
Do you see standardization or regulatory gaps during auditing the QTSPs ?
Standards for qualified electronic delivery services, validation services, preservation services are missing
1. Need to clarify the accreditation process through implementing acts
2. Harmonized requirements for accreditation of CABs, for the conformity assessment report for and auditing rules under which conformity assessment will be carried out
3. Need for technical standards describing the certification scheme of the different trust services
4. Need for concrete implementing acts and definitions in the regulation
GAPs between SB over EU exist - specially in products qualification
Lack concerning regulation on eIDAS-compliant cryptographic algorithms
Different understanding about the standards
No standards for all the eIDAS services
No standard for accreditation of CABs nor eIDAS CARs
Discrepancies in the conformity assessments of Qualified TSPs and questions may arise regarding the quality of qualified trust services in the EU
11%
77%
12%
No Yes No Experience yet
9
Day: 29th June 2017
Place: Berlaymontbuilding, EC premises,
Brussels
Register: https://www.enisa.europa.eu/events/tsp-forum-2017
ENISA Studies on Standards for TSPs | E. Nikolouzou
ENISA Trust Services Forum 2017 3rd edition
PO Box 1309, 710 01 Heraklion, Greece
Tel: +30 28 14 40 9710
www.enisa.europa.eu
Thank you