ida interchange of data between administrations n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
IDA Interchange of Data between Administrations PowerPoint Presentation
Download Presentation
IDA Interchange of Data between Administrations

Loading in 2 Seconds...

play fullscreen
1 / 41

IDA Interchange of Data between Administrations - PowerPoint PPT Presentation


  • 312 Views
  • Uploaded on

IDA Interchange of Data between Administrations. A ‘bridge CA’ for Europe’s public administrations European Signatures vs Global Signatures EESSI, Rome, 7th April 2003 Paul E Murphy IDA, Enterprise Directorate General European Commission. IDA programme of DG Enterprise

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'IDA Interchange of Data between Administrations' - tamasine


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
ida interchange of data between administrations

IDAInterchange of Data between Administrations

A ‘bridge CA’ for Europe’s public administrations

European Signatures vs Global Signatures

EESSI, Rome, 7th April 2003

Paul E Murphy

IDA, Enterprise Directorate General

European Commission

slide2
IDA programme of DG Enterprise
  • IDA bridge CA project
    • history
    • current developments
  • Some PKI issues
the ida programme
The IDA programme
  • Interchange of Data between Administrations
  • Enterprise Directorate General, European Commission
  • 1999 - 2004
the ida programme1
The IDA programme
  • Co-ordinates the exchange of information between the MS and EC in support of:
    • the management of the single market
    • the Community decision-making process
    • a wide range of Community policies
what does ida do
What does IDA do?
  • Sectoral projects for information exchange in support of the Single Market
    • Agriculture, Employment, Environment, Health, Enterprises, Statistics, etc.
what does ida do1
What does IDA do?
  • Generic Services
    • TESTA (IP network), Public Key Infrastructure (PKI CUG), CIRCA (workgroup)
  • Common tools and techniques
    • MoReq, architecture guidelines for interoperability, STATEL, etc.
ida pkicug
IDA PKICUG
  • IDA issues X.509v3 electronic certificates
  • to members of IDA Networks
  • for use in:
    • SSL
    • S/MIME
    • electronic signature
  • Now proposes a ‘bridge CA’
slide8
Why?
  • eEurope Action Plan
    • support for electronic signatures in public administration
  • Member States ’ policy
    • ability to use the electronic certificates issued by their national CAs in pan-European business
  • IDA policy
    • encourage interoperability, use of standards, use of e-signature, etc.
    • Conclusions from previous projects
feasibility study
Feasibility study
  • Collect and summarise the views of the Member States
  • Raise major potential issues
    • legal and political
    • organisational
    • technical
  • Discuss possible solutions
  • Propose further steps
legal and political aspects
Legal and political aspects

A series of issues to be agreed prior to operations

  • No reluctance to the principle of mutual recognition of national Certification Authorities
    • some level of national control was requested
  • The major issue raised was the understanding of electronic signatures
    • qualified certificates versus non-qualified
    • understanding of (in particular) Article 5 of the European Directive
    • requirement to establish equivalence rules between qualified certificates throughout Europe
  • The liability of the authorities issuing certificates should be limited to the respect of attribution procedures
governance

Ways to manage the common organisation

Governance
  • Comply with existing IDA rules
  • Organisational instance to be defined, including:
    • a Governing Body composed of representatives
      • of the Member States and of the European Institutions ?
      • of the participating Certification Authorities ?
    • a specific team to manage operations
    • a technical infrastructure depending on the architecture chosen
  • Definition and application of procedures
    • agreement of a given CA to be recognised by the bridge
    • periodic verification of compliance
core functionality

Required services to all user profiles

Core functionality
  • Exchange and renewal of cross-certificates or of any equivalent information (e.g. signed lists of trusted root certificates)
  • Publication of general information
    • Certificate Policies
  • Publication of certification information
    • trusted CA certificates
    • certificate revocation lists
  • Publication of technical interoperability specifications
  • According to the solution chosen, availability of a test bed to validate the interoperability of a given CA with the other ones
major recommendation

Set up an intermediate infrastructure

Major recommendation
  • A set of organisational measures and of technical tools participating in establishing permanent, secure and reliable trust between the Public Key Infrastructures established by the Member States for the usage of their public sector
  • The primary goal is to help civil servants to recognise the valid credentials of their correspondents in other Member States, hence to establish a secure environment for electronic data exchange
    • as a secondary goal, the same service could be provided to companies and individuals to recognise civil servants
  • Optionally, other PKIs, in particular those providing Public Key Certificates to the major partners of the Administrations, could be recognised as well
suggested organisation
Suggested organisation

Governing body

Member States

European Institutions

Member CAs

Policy Authority

Management team

Technical assessors

memorandum of agreement

The basic charter of collaboration

Memorandum of Agreement
  • Must be established before any operational start up
  • Should cover the following descriptions
    • responsibility, commitments and liability of all participating authorities
    • rules for the governance of the intermediate infrastructure
    • building blocks of the certificate policies, including
      • profile of contents
      • assurance levels
      • management procedures
    • services provided and expected from the infrastructure by the participating and relying parties
    • procedures for an applicant party to become a participating authority
architecture

Possible ways to interconnect the Public Key Infrastructures

Architecture
  • Hierarchy
    • a central Certification Authority recognises each CA of the Member States or of national organisations
    • relying parties just trust the central CA
  • Mesh
    • the Certification Authorities of the Administrations or of public bodies directly recognise each other
    • each relying party justs trust its own CA that in turn trusts the remote CA
  • Web / trust model
    • a repository of trusted Certification Authorities
    • each relying party trusts all distributed certificates of the list
  • Hub-and-spoke infrastructure ("bridge")
    • a central technical infrastructure cross-recognises each concerned CA
    • each relying party justs trusts its own CA that trusts the bridge that in turn trusts the remote CA
hierarchical

A central Certification Authority recognises each CA of the Member States or of national organisations

  • Relying parties just trust the central CA
Hierarchical
mesh peer to peer cross certification

The Certification Authorities of the Administrations directly recognise each other

  • Each relying party justs trust its own CA that in turn trusts the remote CA
Mesh (peer-to-peer cross certification)
web trust distribution of trusted lists
Web / trust (distribution of trusted lists)
  • A repository of trusted Certification Authorities
  • Each relying party trusts all distributed certificates of the list
bridge model

A central technical infrastructure cross-recognises each CA

  • Each relying party justs trusts its own CA that trusts the bridge that in turn trusts the remote CA
Bridge model
modified bridge ca model
Modified bridge CA model

Bridge model + web / trust model

suggested bca model

A compromise between the proposed models

Suggested BCA model
  • The bridge trusts (i.e. accepts to certify) each proposed member CA
  • ‘Root certificates be distributed by the bridge under the form of signed lists
    • relying parties trust each CA recorded in the list
    • Member States could update the list and re-sign it
  • ‘Cross-certification’ with the bridge CA
  • - relying parties trust their own CA that is cross-certified with the bridge that in turn trusts remote CAs that are cross-certified with the bridge
  • Member States may implement validation authorities inside their own administrations or public bodies
functioning of the suggested architecture

Consultation of certificates

Consultation of status

Relying party

Relying party

Relying party

Local verification

Functioning of the suggested architecture

DOMAIN A

DOMAIN C

Bridge CA

CA A

CA C

Cross certification

Simple certification

CA A

CA B

CA C

(signed

bridge CA)

Validation authority

Simple certification

DOMAIN B

CA B

certificate policies

A set of European-level policies

Certificate policies
  • A Policy Authority should be created by the Governing Body to:
    • define the intended usage of families of certificates
    • establish the associated assurance levels and minimum management procedures
    • draw up and publish the resulting Certificate Policies
  • European policies (possibly sectoral) rather than national policies
    • simpler management
    • unique understanding
    • no need for complex mapping
  • In the long term, the identity of policies should be registered into the certificates and the relying parties requested to verify the proper usage of certificates
current phase 1
Current Phase: 1
  • Step-by-step approach
  • Draft Memorandum of Agreement / Understanding
  • Outline Certificate Policy
  • Outline Technical Requirements for participating CAs
  • CTL Feasibility Study
  • Outline Operational Procedures
  • Outline of Pilot and Test Plan
current phase 2
Current Phase: 2
  • Memorandum of Agreement / Understanding for participating Member States
  • Bridge CA Certificate Policy
  • Technical Requirements for participating CAs
  • Bridge CA Technical Architecture
  • Recommendations on use of CTLs
  • Bridge CA Operational Procedures
  • Agreed Pilot and Test Plan
next phase
Next Phase
  • Pilot of Bridge CA:
    • Generate CTLs;
    • Generate Cross-Certificates
    • Publicly accessible directory
  • Test:
    • Operation of bridge CA
    • Bridge CA in a simulated IDA network
    • Member State to Member State exchanges
  • Bridge CA Certificate Practices Statement
  • Bridge CA Certificate Policy
  • Technical Requirements for participating CAs
  • Bridge CA Technical Architecture
  • Recommendations on use of CTLs
  • Bridge CA Operational Procedures
  • Agreed Pilot and Test Plan
slide28
Then
  • Decision Time
bridge ca feasibility study
Bridge CA feasibility study
  • http://europa.eu.int/ISPO/ida/jsps/index.jsp?fuseAction=showDocument&parent=news&documentID=581
european vs global signatures
European vs Global Signatures?
  • IDA needs ‘pan-European’ signatures
    • ability to use electronic certificates in trans-border applications (e.g. public e-procurement)
  • Establish trust in CAs in other Member States
    • cross-certification?
    • Mutual recognition?
    • Bridge CA?
    • Allow for local control
european vs global signatures1
European vs Global Signatures?
  • Establish the authenticity and validity of electronic certificates issued in a Member State other then the relying party’s
  • European level certificate policies
    • Correspondence with national certificate policies
  • Interoperability
why do we introduce pkis
Why do we introduce PKIs?
  • Work electronically with business partners
  • Reduce costs or increase profits
  • Increase operational efficiency
  • Be more effective in achieving objectives
  • Provide value added services that cannot be provided with paper-based working
  • Government policy (public administration)
basic requirements for pkis
Basic requirements for PKIs
  • Provide a real business benefit
  • Cost-effective
  • Easy / easier than paper-based equivalents
  • Easy to set up
  • Easy to operate
  • Interoperable with other PKIs
  • Add value
some pki problems
Some PKI Problems
  • S/MIME v2: Authentication and confidentiality
  • Scalability
  • Certificate Policies
  • The way people and organisations work
  • Encryption
  • Other problems
how work is performed
How work is performed
  • Personal certificates vs. functional organisational units
  • Functional certificates
    • organisational units are not legal entities
      • non-repudiation
      • electronic signature
  • ‘Registration’ of organisational units
how work is performed1
How work is performed
  • PKI
    • Personal certificates
  • Work
    • Organised on functional units
      • Shared functional certificates
how work is performed2
How work is performed
  • Role-based certificates
    • The role confirms the authority of the certificate holder
    • The role may determine the validity of the business event
    • Volatility of personnel
  • X.509 v3 certificate extensions
    • Interoperability and language problems
other problems
Other problems
  • Directory and discovery problems
  • Trust relationships
    • ‘Bridge’ CA
    • Ability to follow a certification path
  • Certificate revocation status checking
  • CRLs, OCSP, etc.
  • Cross-certification
  • etc.
what do we need
What do we need?
  • Interoperable standards-based products that are:
    • Available from multiple suppliers,
      • Interoperable with or can
        • Exchange information with the
          • Office products typically found in modern enterprises and public sector organisations, and
    • Work across Europe’s borders.
  • Agreed PKI models that are congruent with the way business is carried out
slide40
IDA programme of DG Enterprise
  • IDA bridge CA project
    • history
    • current developments
  • Some PKI issues
thank you

Thank you

Paul E. Murphy

IDA programme

European Commission (SC 15 02/65)

B-1040 Brussels, Belgium

fax: +32 2 299 0286

e-mail: Paul-E.Murphy@cec.eu.int