etsi conformity assessment framework for...etsi conformity assessment framework for trust service...
TRANSCRIPT
ETSI CONFORMITY ASSESSMENT FRAMEWORK FORETSI CONFORMITY ASSESSMENT FRAMEWORK FORTRUST SERVICE PROVIDERSWorkshop on TSP Conformity Assessment: p yPresented by Nick Pope, Thales, STF 427 QF1 (TSP Conformity Assessment) Leader
STF 412 ETSI & CAB Extended Validation
Topics
Background• Specifications supporting E‐Signature Directive
f d l• ETSI support for CAB Forum Guidelines
Recent Activities under “S d di i M d 460”“Standardisation Mandate 460”• Policy requirements for CAs: TS 101 456 / TS 102 042
progression to European Norm & restructuringprogression to European Norm & restructuring
• TSP Conformity Assessment Requirements & Guidance
• Support for CAB Forum Guidelines (detail covered in later presentation)
Likely and possible future directions
© ETSI 2012 All rights reserved2
Background: TSP Standards Linked to E‐Signature Directive 1999/93E Signature Directive 1999/93
TS 101 456 “Policy Requirements for Certification AuthoritiesTS 101 456 Policy Requirements for Certification Authoritiesissuing Qualified Certificates”• Aimed at requirements in Annex II of Directive
• First version published in 2000
• Best practice for CA “trustworthy” operation
TS 102 042 “Policy Requirements for Certification Authorities issuing Public Key Certificates”• G li d i t f ki d f bli k tifi t• Generalised requirements for any kind of public key certificate
• Derived from TS 101 456
• First version published in 2002First version published in 2002
CWA 14172‐2“Conformity Assessment – CA Services & processes
© ETSI 2012 All rights reserved
• Provides Guidance on assessment of TS 101 456 & 102 042
• Based on EN 45000 & ISO 17799 3
Background: Supervisory & Accreditation under Directive 1999/93under Directive 1999/93
Each Nation has own “Scheme” for supervision of “Certification Service Providers” with “optional” Accreditation
Many adopted TS 101 456
Few applied CWA 14172‐2
Significant variations in approach to audit
© ETSI 2012 All rights reserved4
Background: CAB Forum
/The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary organization of leading certification authorities (CAs) and vendors of Internet browser softwareauthorities (CAs) and vendors of Internet browser software and other applications.
Produced guidance for CAs issuing SSL/TLS (and Code signing)Produced guidance for CAs issuing SSL/TLS (and Code signing) for Browser root programs• Initially for Extended Validation Certificates
• Recently added Baseline SSL/TLS
© ETSI 2012 All rights reserved5
Background: CAB Forum & ETSI
A number of CA’s issuing SSL Certificates also “supervised” against TS 101 456
Si 2007 ETSI h W k d ith CAB F t l ETSISince 2007 ETSI has Worked with CAB Forum to apply ETSI Specifications to CAB Guidance
ETSI TS 102 042 updated to specifically take into account useETSI TS 102 042 updated to specifically take into account use with CAB Forum Guidelines + additional guidance
CAB Forum requires audit in accordance with:CAB Forum requires audit in accordance with:• Webtrust for CA
• National scheme that audits conformance to ETSI TS 101 456
• National scheme that audits conformance to ETSI TS 102 042
• ISO 21188 (PKI for financial services)
© ETSI 2012 All rights reserved6
Standardisation Mandate 460
EU Studies (e.g. Crobies) identified need to:• “Rationalise” electronic signature standards
• Ensure up to date and bring all key standards to European Norm• Ensure up to date and bring all key standards to European Norm
European Commission Mandate 460 to CEN & ETSI:• Phase 1 (April 2011 to March 2012)Phase 1 (April 2011 to March 2012)
• Rationalised framework and future work plan for E‐Signature Standards
• Quick Fixes to address identified gaps in standards &
Progress key specifications to European NormsProgress key specifications to European Norms
• Phase 2 (2012 to 2014+) Implement work plan
EU Consultation & Study on New Directive for:EU Consultation & Study on New Directive for:Electronic Identification Authentication and Signatures• Widen likely future scope from “Certification Service Providers” to
© ETSI 2012 All rights reserved
“Trust Service providers”
7
Mandate 460 Phase 1 TSP Activities
Requirements & Guidance for TSP Conformity Assessment• Initially aimed at CAs but aim to be generally applicable to
“Trust Service Providers”Trust Service Providers
• Based on CWA 14172‐2
• Initially Technical Specification plan to progress to European Norm
European Norm version of TS 101 456 & TS 102 042• Draft EN on General Policy Requirements for TSPs
• Draft EN equivalent to TS 101 456
• Draft EN equivalent to TS 102 042• Draft EN equivalent to TS 102 042
© ETSI 2012 All rights reserved8
TSP Conformity AssessmentScopeScope
Guidance for Supervision
Requirements for Conformity Assessment (Voluntary Accreditation)
Applicable to any TSP Services CSP i i QC C tifi t• CSP issuing QC Certificate,
• CA issuing SSL Certificate
• Time‐stamping….Time stamping….
• Remote signing services
• Signature validation services
• etc
© ETSI 2012 All rights reserved9
TSP Conformity AssessmentBasisBasis
EU regulations:• Regulation (EC) No 765/2008 “requirements for
accreditation and market surveillance ”accreditation and market surveillance ….
ISO Standards• ISO 17021 “Conformity assessment ‐y
Requirements for bodies providing audit and certification of management systems”(ISO 17000 series replaces EN 45 000)(ISO 17000 series replaces EN 45 000)
• ISO 27 006 Requirements for bodies providing audit and certification of information security management systems(ISO 27000 replacing ISO 17799)
© ETSI 2012 All rights reserved10
TSP Conformity AssessmentConfusion over terminologyConfusion over terminology
Accreditation• Used in conformity assessment regulations /
standards to refer to checking capability ofstandards to refer to checking capability of “Conformity Assessment Body”
• Used in Directive 1999/93 as a form of f iconformity assessment
CertificationUsed in conformity assessment to mean• Used in conformity assessment to mean certification of conformity.
• Used in Directive 1999/93 to relate to Certification Service Providers
© ETSI 2012 All rights reserved11
TSP Conformity Assessment ModelModel
Trust
European co‐operation for Accreditation
(EA)
Service Status ListTSP
AssessmentScheme
NationalA dit tiT t S iScheme Accreditation
BodyTrust Service
StatusNotification
Body
A tAssessmentReport
ConformityAssessment Body
AssessorsAssessorsNotification
Assessmentrequest
Assessment
AssessmentCriteria
TSP
© ETSI 2012 All rights reserved12
TSP Conformity AssessmentProcess StepsProcess Steps
TSP
InitiationTSP
Notification Body
Assessment Stage 1: Documentation ConformityAssessment
BodyAssessment Stage 2: Implementation
Report
f
StatusNotification
Notification Body & TSP
NotificationInterested Parties
© ETSI 2012 All rights reserved13
TSP Conformity Assessment Re‐assessment (5.4 to 5.6)Re assessment (5.4 to 5.6)
F ll C f A 3Full Conformance Assessment every 3 years
ll dSurveillance audit every year
Incident related surveillance on notification of potential compromise
© ETSI 2012 All rights reserved14
TSP Conformity AssessmentCross Border (Clause 7)Cross Border (Clause 7)
Assessment of TSPs relying on components services operating in other countries
TSPs notified in one state and assessed in another
© ETSI 2012 All rights reserved15
Phase 2: TSP Conformity Assessment
Formal recognition by European Cooperation for Accreditation
Progress to European Norm
© ETSI 2012 All rights reserved16
Interim Approach for CAB Conformity
Conformity Assessment Body “Accredited” againstISO/IEC 27001
A di ISO 17021 EN 45011 (ISO id 65)Audit as per: ISO 17021 or EN 45011 (ISO guide 65).
Notification by Conformity Assessment Body Certification
© ETSI 2012 All rights reserved17
TSP Policy RequirementsPhase 1: Work ItemsPhase 1: Work Items
draft EN on General policy requirements for TSPs
d ft EN P li i t f CSP i i lifi ddraft EN on Policy requirements for CSP issuing qualified certificates• Requirements identical to TS 101 456Requirements identical to TS 101 456
• General requirements by reference
draft EN on Policy requirements for CAs issuing PKI certificatesRequirements identical to TS 101 456• Requirements identical to TS 102 042
• General requirements by reference
Feedback requested on issues identified in annexFeedback requested on issues identified in annex
© ETSI 2012 All rights reserved18
TSP Policy Requirement –Phase 2: work planPhase 2: work plan
General TSP Policy & Security RequirementsPolic
Polic
Polic
Polic
Polic
Polic
Polic cy R
equir
cy Requir
cy Requir
cy Requir
cy Requir
cy Requir
cy Requir rem
ents
rements
rements
rements
rements
rements
rments
S
Time-sta
Sig. Gen
Sig
Verif
QC
NC
P/LC
P
SS
L EV
SL B
ase amp
n.
f. P line
Security Profile forS
Security Profile Security Profile Security Profile
© ETSI 2012 All rights reserved
Trustworthy Sys. Trustw’y Sys. Trustw’y Sys. Trustw’y Sys.
19
Current Status
Agreed, stages of final pre‐publication edit:• TS ??? ??? Trust Service Provider Conformity Assessment ‐ General
requirements and guidancerequirements and guidance
• prEN ??? ??? General Policy requirements for Trust Service Providers supporting Electronic Signatures
• prEN ??? ??? Policy requirements for certification authorities issuing qualified certificates(TS 101 456)( )
• prEN ??? ??? Policy requirements for Certification Authoritiesissuing public key certificates
Available soon at:http://pda.etsi.org/pda/queryform.asp
© ETSI 2012 All rights reserved20
Future of TSP Conformity Assessment
Greater coordination between national schemes• Adoption of common approach based on European Norms
• Sharing information on security incidents and current best practice• Sharing information on security incidents and current best practice
National schemes covering the range of “Trust ServiceNational schemes covering the range of Trust Service providers” ?
Work towards full conformity assessment by Certification(Audit) Bodies Accredited by European cooperation for(Audit) Bodies Accredited by European cooperation for Accreditation ?
© ETSI 2012 All rights reserved21
Thank you
M b f STF TSP C f it A tMembers of STF on TSP Conformity Assessment:Nick Pope (UK),
Arno Fiedler (Germany)Arno Fiedler (Germany),
Paloma Llenza (Spain)
Istavn Renyi (Hungary),
Sylvie Lacroix (Belgium / France)
Contactnick.pope@thales‐esecurity.com
Downloadhttp://pda.etsi.org/pda/queryform.asp
© ETSI 2012 All rights reserved22