etsi conformity assessment framework for...etsi conformity assessment framework for trust service...

ETSI CONFORMITY ASSESSMENT FRAMEWORK FORETSI CONFORMITY ASSESSMENT FRAMEWORK FORTRUST SERVICE PROVIDERSWorkshop on TSP Conformity Assessment: p yPresented by Nick Pope, Thales, STF 427 QF1 (TSP Conformity Assessment) Leader

STF 412 ETSI & CAB Extended Validation

Topics

Background• Specifications supporting E‐Signature Directive

f d l• ETSI support for CAB Forum Guidelines

Recent Activities under “S d di i M d 460”“Standardisation Mandate 460”• Policy requirements for CAs: TS 101 456 / TS 102 042

progression to European Norm & restructuringprogression to European Norm & restructuring

• TSP Conformity Assessment Requirements & Guidance

• Support for CAB Forum Guidelines (detail covered in later presentation)

Likely and possible future directions

© ETSI 2012 All rights reserved2

Background: TSP Standards Linked to E‐Signature Directive 1999/93E Signature Directive 1999/93

TS 101 456 “Policy Requirements for Certification AuthoritiesTS 101 456 Policy Requirements for Certification Authoritiesissuing Qualified Certificates”• Aimed at requirements in Annex II of Directive

• First version published in 2000

• Best practice for CA “trustworthy” operation

TS 102 042 “Policy Requirements for Certification Authorities issuing Public Key Certificates”• G li d i t f ki d f bli k tifi t• Generalised requirements for any kind of public key certificate

• Derived from TS 101 456

• First version published in 2002First version published in 2002

CWA 14172‐2“Conformity Assessment – CA Services & processes

© ETSI 2012 All rights reserved

• Provides Guidance on assessment of TS 101 456 & 102 042

• Based on EN 45000 & ISO 17799 3

Background: Supervisory & Accreditation under Directive 1999/93under Directive 1999/93

Each Nation has own “Scheme” for supervision of “Certification Service Providers” with “optional” Accreditation

Many adopted TS 101 456

Few applied CWA 14172‐2

Significant variations in approach to audit


Background: CAB Forum

/The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary organization of leading certification authorities (CAs) and vendors of Internet browser softwareauthorities (CAs) and vendors of Internet browser software and other applications.

Produced guidance for CAs issuing SSL/TLS (and Code signing)Produced guidance for CAs issuing SSL/TLS (and Code signing) for Browser root programs• Initially for Extended Validation Certificates

• Recently added Baseline SSL/TLS


Background: CAB Forum & ETSI

A number of CA’s issuing SSL Certificates also “supervised” against TS 101 456

Si 2007 ETSI h W k d ith CAB F t l ETSISince 2007 ETSI has Worked with CAB Forum to apply ETSI Specifications to CAB Guidance

ETSI TS 102 042 updated to specifically take into account useETSI TS 102 042 updated to specifically take into account use with CAB Forum Guidelines + additional guidance

CAB Forum requires audit in accordance with:CAB Forum requires audit in accordance with:• Webtrust for CA

• National scheme that audits conformance to ETSI TS 101 456

• National scheme that audits conformance to ETSI TS 102 042

• ISO 21188 (PKI for financial services)


Standardisation Mandate 460

EU Studies (e.g. Crobies) identified need to:• “Rationalise” electronic signature standards

• Ensure up to date and bring all key standards to European Norm• Ensure up to date and bring all key standards to European Norm

European Commission Mandate 460 to CEN & ETSI:• Phase 1 (April 2011 to March 2012)Phase 1 (April 2011 to March 2012)

• Rationalised framework and future work plan for E‐Signature Standards

• Quick Fixes to address identified gaps in standards &

Progress key specifications to European NormsProgress key specifications to European Norms

• Phase 2 (2012 to 2014+) Implement work plan

EU Consultation & Study on New Directive for:EU Consultation & Study on New Directive for:Electronic Identification Authentication and Signatures• Widen likely future scope from “Certification Service Providers” to


“Trust Service providers”

7

Mandate 460 Phase 1 TSP Activities

Requirements & Guidance for TSP Conformity Assessment• Initially aimed at CAs but aim to be generally applicable to

“Trust Service Providers”Trust Service Providers

• Based on CWA 14172‐2

• Initially Technical Specification plan to progress to European Norm

European Norm version of TS 101 456 & TS 102 042• Draft EN on General Policy Requirements for TSPs

• Draft EN equivalent to TS 101 456

• Draft EN equivalent to TS 102 042• Draft EN equivalent to TS 102 042


TSP Conformity AssessmentScopeScope

Guidance for Supervision

Requirements for Conformity Assessment (Voluntary Accreditation)

Applicable to any TSP Services CSP i i QC C tifi t• CSP issuing QC Certificate,

• CA issuing SSL Certificate

• Time‐stamping….Time stamping….

• Remote signing services

• Signature validation services

• etc


TSP Conformity AssessmentBasisBasis

EU regulations:• Regulation (EC) No 765/2008 “requirements for

accreditation and market surveillance ”accreditation and market surveillance ….

ISO Standards• ISO 17021 “Conformity assessment ‐y

Requirements for bodies providing audit and certification of management systems”(ISO 17000 series replaces EN 45 000)(ISO 17000 series replaces EN 45 000)

• ISO 27 006 Requirements for bodies providing audit and certification of information security management systems(ISO 27000 replacing ISO 17799)


TSP Conformity AssessmentConfusion over terminologyConfusion over terminology

Accreditation• Used in conformity assessment regulations /

standards to refer to checking capability ofstandards to refer to checking capability of “Conformity Assessment Body”

• Used in Directive 1999/93 as a form of f iconformity assessment

CertificationUsed in conformity assessment to mean• Used in conformity assessment to mean certification of conformity.

• Used in Directive 1999/93 to relate to Certification Service Providers


TSP Conformity Assessment ModelModel

Trust

European co‐operation for Accreditation

(EA)

Service Status ListTSP

AssessmentScheme

NationalA dit tiT t S iScheme Accreditation

BodyTrust Service

StatusNotification

Body

A tAssessmentReport

ConformityAssessment Body

AssessorsAssessorsNotification

Assessmentrequest

Assessment

AssessmentCriteria

TSP


TSP Conformity AssessmentProcess StepsProcess Steps

TSP

InitiationTSP

Notification Body

Assessment Stage 1: Documentation ConformityAssessment

BodyAssessment Stage 2: Implementation

Report

f

StatusNotification

Notification Body & TSP

NotificationInterested Parties


TSP Conformity Assessment Re‐assessment (5.4 to 5.6)Re assessment (5.4 to 5.6)

F ll C f A 3Full Conformance Assessment every 3 years

ll dSurveillance audit every year

Incident related surveillance on notification of potential compromise


TSP Conformity AssessmentCross Border (Clause 7)Cross Border (Clause 7)

Assessment of TSPs relying on components services operating in other countries

TSPs notified in one state and assessed in another


Phase 2: TSP Conformity Assessment

Formal recognition by European Cooperation for Accreditation

Progress to European Norm


Interim Approach for CAB Conformity

Conformity Assessment Body “Accredited” againstISO/IEC 27001

A di ISO 17021 EN 45011 (ISO id 65)Audit as per: ISO 17021 or EN 45011 (ISO guide 65).

Notification by Conformity Assessment Body Certification


TSP Policy RequirementsPhase 1: Work ItemsPhase 1: Work Items

draft EN on General policy requirements for TSPs

d ft EN P li i t f CSP i i lifi ddraft EN on Policy requirements for CSP issuing qualified certificates• Requirements identical to TS 101 456Requirements identical to TS 101 456

• General requirements by reference

draft EN on Policy requirements for CAs issuing PKI certificatesRequirements identical to TS 101 456• Requirements identical to TS 102 042

• General requirements by reference

Feedback requested on issues identified in annexFeedback requested on issues identified in annex


TSP Policy Requirement –Phase 2: work planPhase 2: work plan

General TSP Policy & Security RequirementsPolic

Polic

Polic

Polic

Polic

Polic

Polic cy R

equir

cy Requir

cy Requir

cy Requir

cy Requir

cy Requir

cy Requir rem

ents

rements

rements

rements

rements

rements

rments

S

Time-sta

Sig. Gen

Sig

Verif

QC

NC

P/LC

P

SS

L EV

SL B

ase amp

n.

f. P line

Security Profile forS

Security Profile Security Profile Security Profile


Trustworthy Sys. Trustw’y Sys. Trustw’y Sys. Trustw’y Sys.

19

Current Status

Agreed, stages of final pre‐publication edit:• TS ??? ??? Trust Service Provider Conformity Assessment ‐ General

requirements and guidancerequirements and guidance

• prEN ??? ??? General Policy requirements for Trust Service Providers supporting Electronic Signatures

• prEN ??? ??? Policy requirements for certification authorities issuing qualified certificates(TS 101 456)( )

• prEN ??? ??? Policy requirements for Certification Authoritiesissuing public key certificates

Available soon at:http://pda.etsi.org/pda/queryform.asp


Future of TSP Conformity Assessment

Greater coordination between national schemes• Adoption of common approach based on European Norms

• Sharing information on security incidents and current best practice• Sharing information on security incidents and current best practice

National schemes covering the range of “Trust ServiceNational schemes covering the range of Trust Service providers” ?

Work towards full conformity assessment by Certification(Audit) Bodies Accredited by European cooperation for(Audit) Bodies Accredited by European cooperation for Accreditation ?


Thank you

M b f STF TSP C f it A tMembers of STF on TSP Conformity Assessment:Nick Pope (UK),

Arno Fiedler (Germany)Arno Fiedler (Germany),

Paloma Llenza (Spain)

Istavn Renyi (Hungary),

Sylvie Lacroix (Belgium / France)

Contactnick.pope@thales‐esecurity.com

Downloadhttp://pda.etsi.org/pda/queryform.asp


etsi conformity assessment framework for...etsi conformity assessment framework for trust service...

Documents