Supervision and accreditation of CSPs within the EU legal framework - - PowerPoint PPT Presentation

2009-12-08 Supervision and accreditation of CSPs within the EU legal framework Slide 1

Supervision and accreditation of CSPs within the EU legal framework

Ulrich Latzenhofer

Forum of European Supervisory Authorities for Electronic Signatures (FESA)

Terminology eSignature Directive Supervision vs. accreditation FESA

2009-12-08 Supervision and accreditation of CSPs within the EU legal framework Slide 2

Outline

• Terminology
• eSignature Directive
• Supervision vs. accreditation
• FESA

Terminology eSignature Directive Supervision vs. accreditation FESA

2009-12-08 Supervision and accreditation of CSPs within the EU legal framework Slide 3

Terminology

Terminology eSignature Directive Supervision vs. accreditation FESA

2009-12-08 Supervision and accreditation of CSPs within the EU legal framework Slide 4

Terminology eSignature Directive Supervision vs. accreditation FESA

2009-12-08 Supervision and accreditation of CSPs within the EU legal framework Slide 5

eSignature

• Definition from European eSignature Directive
• Data in electronic form
• Attached to or logically associated with other electronic data
• Serving as a method of authentication
• Simple examples
• Scanned signature attached to electronic document
• Transaction authentication number as used by online

banking services

Terminology eSignature Directive Supervision vs. accreditation FESA

2009-12-08 Supervision and accreditation of CSPs within the EU legal framework Slide 6

Advanced eSignature

• Criteria from European eSignature Directive
• Uniquely linked to signatory
• Capable of identifying signatory
• Created using means under sole control of signatory
• Subsequent changes of signed data detectable
• Non-binding interpretation by FESA
• Example: Digital signature based on public-key

cryptography

Terminology eSignature Directive Supervision vs. accreditation FESA

2009-12-08 Supervision and accreditation of CSPs within the EU legal framework Slide 7

Secure signature creation device (SSCD)

Terminology eSignature Directive Supervision vs. accreditation FESA

2009-12-08 Supervision and accreditation of CSPs within the EU legal framework Slide 8

SSCD requirements

• Requirements from European eSignature Directive
• Uniqueness and secrecy of signature creation data
• Protection against illegitimate use and forgery
• Possible presentation, no alteration of data to be signed
• Conformity with requirements
• To be assessed by body referred to in Directive, Article 3(4)
• Presumed for SSCDs meeting “generally recognised

standards” (CWA 14169)

Terminology eSignature Directive Supervision vs. accreditation FESA

2009-12-08 Supervision and accreditation of CSPs within the EU legal framework Slide 9

Qualified certificate (QC)

Policy identifier for QC with SSCD

• Link between

natural person and signature verification data

• Confirmed by

trusted third party

Terminology eSignature Directive Supervision vs. accreditation FESA

2009-12-08 Supervision and accreditation of CSPs within the EU legal framework Slide 10

QC: Content requirements

• QC statement
• Identification of certification service provider (CSP)

and State of establishment

• Name of the signatory or pseudonym
• Signature verification data
• Period of validity
• Identity code of certificate
• Advanced eSignature of CSP

Terminology eSignature Directive Supervision vs. accreditation FESA

2009-12-08 Supervision and accreditation of CSPs within the EU legal framework Slide 11

QC: Requirements for CSP

• Directory and revocation services
• Verification of identity
• Reliability and qualifications of personnel
• Trustworthy systems
• Financial resources
• Records
• Information for signatories

Terminology eSignature Directive Supervision vs. accreditation FESA

2009-12-08 Supervision and accreditation of CSPs within the EU legal framework Slide 12

Qualified eSignature

• Criteria from European eSignature Directive
• Advanced eSignature
• Based on QC
• Created by SSCD
• Legal equivalence with handwritten signature

(provided that electronic form is admissible)

Terminology eSignature Directive Supervision vs. accreditation FESA

2009-12-08 Supervision and accreditation of CSPs within the EU legal framework Slide 13

Types of eSignature

Advanced eSignatures Based on QC Created by SSCD Qualified eSignature s

Terminology eSignature Directive Supervision vs. accreditation FESA

2009-12-08 Supervision and accreditation of CSPs within the EU legal framework Slide 14

eSignature Directive

Terminology eSignature Directive Supervision vs. accreditation FESA

2009-12-08 Supervision and accreditation of CSPs within the EU legal framework Slide 15

Important provisions

• Market access
• Internal market principles
• Legal effects of eSignatures
• Liability of CSPs
• International aspects
• Data protection

Terminology eSignature Directive Supervision vs. accreditation FESA

2009-12-08 Supervision and accreditation of CSPs within the EU legal framework Slide 16

Market access

• No prior authorisation for certification services
• Voluntary accreditation schemes possible on EU

Member State level

• CSPs issuing QCs to be supervised by EU Member

States

• Conformity of SSCDs to be assessed by designated

bodies

• Criteria for additional public sector requirements

Terminology eSignature Directive Supervision vs. accreditation FESA

2009-12-08 Supervision and accreditation of CSPs within the EU legal framework Slide 17

Internal market principles

• Home state regulation
• National provisions to be applied only to CSPs established
• n that nation’s territory
• No restriction of certification services originating in another

Member State

• Free circulation of eSignature products complying

with eSignature Directive

Terminology eSignature Directive Supervision vs. accreditation FESA

2009-12-08 Supervision and accreditation of CSPs within the EU legal framework Slide 18

Legal effects of eSignatures

• Qualified eSignatures
• Legal equivalence with handwritten signatures
• Admissibility as evidence in legal proceedings
• Other eSignatures
• Legal effectiveness and admissibility as evidence not to be

denied solely due to “quality level”

Terminology eSignature Directive Supervision vs. accreditation FESA

2009-12-08 Supervision and accreditation of CSPs within the EU legal framework Slide 19

Liability of CSPs

• For damage to party relying in QC
• Accuracy of information contained in QC
• Corresponding signature creation data held by signatory
• Complementarity of signature creation data and signature

verification data

• Revocation of QC
• Possible limitations
• Use of QC
• Value of transactions

Terminology eSignature Directive Supervision vs. accreditation FESA

2009-12-08 Supervision and accreditation of CSPs within the EU legal framework Slide 20

International aspects

• Recognition of QC from third country
• CSP accredited in EU Member State or
• QC guaranteed by CSP established within European

Community or

• Recognition under agreement between European

Community and third country or international organisation

• Proposals and mandates of European Commission

Terminology eSignature Directive Supervision vs. accreditation FESA

2009-12-08 Supervision and accreditation of CSPs within the EU legal framework Slide 21

Data protection

• Compliance with Data Protection Directive
• CSPs
• Bodies responsible for supervision and accreditation
• Collection of personal data
• Only from data subject or with consent of data subject
• Only as far as necessary for purpose of certification service
• Pseudonyms not to be prevented

Terminology eSignature Directive Supervision vs. accreditation FESA

2009-12-08 Supervision and accreditation of CSPs within the EU legal framework Slide 22

Supervision vs. accreditation

Terminology eSignature Directive Supervision vs. accreditation FESA

2009-12-08 Supervision and accreditation of CSPs within the EU legal framework Slide 23

Types of CSPs to be supervised

• CSPs issuing QCs to the public
• Other CSPs if required by national law
• Non-qualified certificates
• Directory and revocation
• Time-stamping
• eSignature verification
• Closed systems exempted

Terminology eSignature Directive Supervision vs. accreditation FESA

2009-12-08 Supervision and accreditation of CSPs within the EU legal framework Slide 24

Supervision modality determined by national law

• Supervision system (e.g., public or private sector)
• Obligations of bodies involved with supervision
• Scope of supervision
• Directory of CSPs
• Obligations of CSPs to support supervision
• Supervisory measures and enforcement

Terminology eSignature Directive Supervision vs. accreditation FESA

2009-12-08 Supervision and accreditation of CSPs within the EU legal framework Slide 25

Bodies typically involved with supervision

• Supervisory authority and its office
• Designated bodies
• Bodies recognised under

Common Criteria Recognition Arrangement (CCRA)

• Certification/Validation Bodies
• Evaluation Facilities
• Independent experts
• Other administrative authorities and courts

Terminology eSignature Directive Supervision vs. accreditation FESA

2009-12-08 Supervision and accreditation of CSPs within the EU legal framework Slide 26

Supervision practices

• Mode, depth, and frequency of supervision different

from country to country

• Applicable standards
• National law implementing eSignature Directive
• Technical standards if compliance required by law or

claimed by CSP, e.g. ETSI TS 101 456, CWA 14167-1

• Guidance on technical standards and conformity

assessment, e.g. ETSI TR 102 437, CWA 14172-2 and -3

Terminology eSignature Directive Supervision vs. accreditation FESA

2009-12-08 Supervision and accreditation of CSPs within the EU legal framework Slide 27

Voluntary accreditation

• Aiming at enhanced levels of CSP
• Setting out rights and obligations specific to CSP
• Granted upon request by CSP
• Supervision within accreditation scheme
• CSP not entitled to exercise rights prior to

accreditation

Terminology eSignature Directive Supervision vs. accreditation FESA

2009-12-08 Supervision and accreditation of CSPs within the EU legal framework Slide 28

Differences supervision – accreditation

• Supervision
• Accreditation

notification end of procedure compliance check CSP activity request accreditation compliance check CSP activity

Terminology eSignature Directive Supervision vs. accreditation FESA

2009-12-08 Supervision and accreditation of CSPs within the EU legal framework Slide 29

Advantages of accreditation

• For CSPs within EU: Advantages not directly

stemming from eSignature Directive

• For third country CSPs: Recognition of QCs within

EU by means of accreditation in EU Member State

• For all CSPs: Advantages depending on particular

accreditation scheme and/or national law

Terminology eSignature Directive Supervision vs. accreditation FESA

2009-12-08 Supervision and accreditation of CSPs within the EU legal framework Slide 30

Various types of accreditation

• Approval

Compliance typically assured under private law

• One-level accreditation

CSP accredited by accreditation body directly

• Two-level accreditation

CSP certified by “certification body” “Certification body” accredited by accreditation body

Terminology eSignature Directive Supervision vs. accreditation FESA

2009-12-08 Supervision and accreditation of CSPs within the EU legal framework Slide 31

Supervisory authority ≠ accreditation body

• Competencies for supervision and accreditation split

to different bodies in some EU Member States

• Supervision of accredited CSPs within accreditation

scheme

• Typically no additional supervision by supervisory

authority unless accreditation revoked or expired

Terminology eSignature Directive Supervision vs. accreditation FESA

2009-12-08 Supervision and accreditation of CSPs within the EU legal framework Slide 32

Directory of CSPs

• Required for independent certificate verification
• No uniform European approach so far
• National root CA, e.g. Germany
• Special purpose root CA, e.g. Hungary
• Signed list of CSPs, e.g. Italy
• List of CSPs, e.g. Norway
• Trusted List according to ETSI TS 102 231 to be

maintained by each Member State as of 2009-12-28

Terminology eSignature Directive Supervision vs. accreditation FESA

2009-12-08 Supervision and accreditation of CSPs within the EU legal framework Slide 33

FESA

Terminology eSignature Directive Supervision vs. accreditation FESA

2009-12-08 Supervision and accreditation of CSPs within the EU legal framework Slide 34

Cross-border issues in supervision

• Example: CSP X-Trust operating in several countries
• Company X-Trust Ltd. established in country A
• X-Trust’s technical infrastructure located in country B
• X-Trust’s registration services provided in countries C
• X-Trust’s SSCDs initialised in country D
• Problem: Competencies of national authorities
• Solution: Cooperation of national authorities and

harmonisation of their activities within FESA

Terminology eSignature Directive Supervision vs. accreditation FESA

2009-12-08 Supervision and accreditation of CSPs within the EU legal framework Slide 35

Membership

• Full members: National bodies responsible for

supervision and/or accreditation from EU and EFTA members as well as candidate countries

• Associate members: Similar bodies from other

countries

• Currently 24 members and 3 associate members,

see http://www.fesa.eu/members.html

Terminology eSignature Directive Supervision vs. accreditation FESA

2009-12-08 Supervision and accreditation of CSPs within the EU legal framework Slide 36

Organisation

• Meetings of assembly at least twice every year
• Tools for electronic collaboration
• Internal document repository
• Internal mailing lists
• Board responsible for organisational matters
• No fixed seat or secretariat
• Public information available at http://www.fesa.eu/

Terminology eSignature Directive Supervision vs. accreditation FESA

2009-12-08 Supervision and accreditation of CSPs within the EU legal framework Slide 37

Selected common points of view

• Cross-border supervision of CSPs
• Advanced eSignature
• Verification of identity
• QCs for automatically signing systems
• Server based signature services
• Issuing QCs to the public vs. closed systems
• CSPs established on Member State’s territory

Terminology eSignature Directive Supervision vs. accreditation FESA

2009-12-08 Supervision and accreditation of CSPs within the EU legal framework Slide 38

Summary

• eSignature Directive as common framework for

eSignatures with legal effect in EU

• Supervision and accreditation as means for ensuring

quality of certification services and promoting trust

• FESA as organisation aiming at cooperation among

supervisory authorities and harmonisation of their activities

Terminology eSignature Directive Supervision vs. accreditation FESA

2009-12-08 Supervision and accreditation of CSPs within the EU legal framework Slide 39

Thank you for your interest!

Please contact

• board@fesa.eu for questions regarding FESA
• signatur@signatur.rtr.at for questions regarding

eSignatures in Austria

• ulrich.latzenhofer@rtr.at for personal questions