SlideShare a Scribd company logo

proposal on assessment of qualified signature creation devices compliant with #eIDAS

Andrea Caccia
Andrea Caccia

A presentation about a proposal on assessment of qualified signature creation devices compliant with #eIDAS requirements and based on EU standards

Technology
1 of 15
Download to read offline
PkBox as simple and secure cloud electronic signature creation and validation solution Giuseppe Damiano CTO B.U. Products Intesi Group│ gdamiamo@intesigroup.com Andrea Caccia Consultant │ andrea.caccia@studiocaccia.com ETSI Security week │ eIDAS Thematic stream │ Sophia Antipolis 25 June 2015
Intesi Group at a glance Intesi Group is an Italian private company that operates in the ICT industry offering specialized professional services, products with high technological content and advanced cloud solutions. Entirely self-funded, Intesi Group has been since 1998, when it was established, in steady and rapid growth. With 2014 revenues of EUR 10 million and more than 100 highly skilled professionals, Intesi Group is the ideal partner for those who want to integrate advanced technologies in a fast and reliable way. Specialized skills, established references and adherence to organizational models are the elements that distinguish Intesi Group. 2/12
3/12
PkBox 3.0.3 – Architecture 4/12 PkBox COD Signature Engine Time4ID OTP Engine Sign Credentials Time4ID Seeds HSM Device #SecurityFirst Security of sensitive information ensured by Thales HSM Two Factor Authetication – HSM password and OTP validation Signature Keys and OTP Seeds are protected by the HSM
PkBox: main features Milions of signature credentials and OTPs managed Performances: several hundreds of signatures/sec Scalability: load balancing and multi thier architectures High reliability: one central DB for all PkBox (SSCD) Easy to use: high level API Signature formats: CAdES, PAdES, XAdES, S/MIME, … Complete Validation Authority Functionalities Authentication OATH OTP (Time & Event based): Mobile App, Mobile SDK and SMS Multivendor OTP: Vasco, RSA, Safenet, Gemalto, McAfee 5/12
Cloud Apps Cloud Apps Use cases 6/12 Remote Banking Mobile Wallet Cloud Apps PkBox COD PkBox COD Mobile Banking Strong Authentication Strong Authentication and Qualified Signature Strong Authentication and Qualified Signature Internet Remote Signature eCommerce Contracts signature Strong Authentication
Industries The first 3 most important Italian Banks (contracts signature, eInvoicing, …) 3 Italian Certification Authorities (Remote Signature Services) 2 Public Body Providers (eInvoicing) Several small and medium banks Universities Outsourcing services for banks Insurances 7/12 OnpremiseAsaservice
Strengths Paperless Acceleration of all processes – above all new clients acqusition Costs saving Security Up to date platform 8/12
PkBox in numbers 2 milion active users, distribuited as follow: 10 Banks 20 Universities 3 Certification Authorities 2 Outsourcing Services Companies 4 Insurances 10 Public Bodies 10 Manufactoring Enterprises 9/12
PkBox was confirmed as SSCD and can be used to implement Remote Qualified Electronic Signature solutions PkBox has been confirmed as a Secure Signature Creation Device (SSCD) by A-SIT (Austria - Secure Information Technology Center) the body designated by Austria according to the Article 3(4) of the Directive 1999/93/EC to comply with the requirements set out in Annex III of the Directive and can therefore be used for the realization of Remote Qualified Electronic Signature solutions with full legal validity. The confirmation certificate is valid in all the member States of the European Union according to Article 3(4): "The conformity of secure signature-creation-devices with the requirements laid down in Annex III shall be determined by appropriate public or private bodies designated by Member States. [...] A determination of conformity with the requirements laid down in Annex III made by the bodies referred to in the first subparagraph shall be recognised by all Member States The eIDAS Regulation extends the validity of Article3(4) of the Directive 93/1999/93/EC after the its repeal. Article 51(1) reads: "Secure signature creation devices of which the conformity has been determined in accordance with Article 3(4) of Directive 1999/93/EC shall be considered as qualified electronic signature creation devices under this Regulation" 10/12
The eIDAS Regulation recognizes the benefits of remote electronic signatures Recital (52): The creation of remote electronic signatures, where the electronic signature creation environment is managed by a trust service provider on behalf of the signatory, is set to increase in the light of its multiple economic benefits. However, in order to ensure that such electronic signatures receive the same legal recognition as electronic signatures created in an entirely user-managed environment, remote electronic signature service providers should apply specific management and administrative security procedures and use trustworthy systems and products, including secure electronic communication channels, in order to guarantee that the electronic signature creation environment is reliable and is used under the sole control of the signatory. Where a qualified electronic signature has been created using a remote electronic signature creation device, the requirements applicable to qualified trust service providers set out in this Regulation should apply. 11/12
Requirements for Qualified remote electronic signature solutions from the eIDAS Regulation Recital 55 states that "IT security certification based on international standards such as ISO 15408 and related evaluation methods and mutual recognition arrangements is an important tool for verifying the security of qualified electronic signature creation devices and should be promoted" It should be read in combination with recital 52: "remote electronic signature service providers should apply specific management and administrative security procedures and use trustworthy systems and products, including secure electronic communication channels, in order to guarantee that the electronic signature creation environment is reliable and is used under the sole control of the signatory" According to article 30, the Certification of qualified electronic signature creation devices shall be based on a security evaluation process carried out in accordance with one of the standards for the security assessment of information technology products present in a list to be established by the Commission. 12/12
Qualified remote electronic signature solutions under the eIDAS Regulation: a proposal A remote signature solution is in general the combination of software and an HSM hosted by a TSP. Our proposal is that the certification of the SSCD is a combination of: ISO 15408 certification of the HSM for Signatory key pair generation, storage and signature creation Define a specific qualification path for TSPs offering the service by developing a specific policy and security requirement standard, based on TS 419 241 (Security Requirements for Trustworthy Systems Supporting Server Signing) or its evolution, to be assessed by a Conformity Assessment Body accredited with EN 319 403 and under supervision 13/12
Security Pill of the day 14/12 Security is an attitude: learn it with a game! www.catchergame.com
Intesi Group S.p.A. Via Torino, 48 - 20123 Milano T. +39 02 6760641 www.intesigroup.com intesi@intesigroup.com

Recommended

General discussion paper for airports
General discussion paper for airportsGeneral discussion paper for airports
General discussion paper for airportsRexcy
 
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNet
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNetPayment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNet
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNetSafeNet
 
Biometric Trends for 2017 Webinar
Biometric Trends for 2017 WebinarBiometric Trends for 2017 Webinar
Biometric Trends for 2017 WebinarVeridium
 
CPA - Introduction to Digital Identity - rev20171102
CPA - Introduction to Digital Identity - rev20171102CPA - Introduction to Digital Identity - rev20171102
CPA - Introduction to Digital Identity - rev20171102Jean-François LOMBARDO
 
Computer Security Test
Computer Security TestComputer Security Test
Computer Security Testkhant14
 
Approach pci- dss
Approach pci- dssApproach pci- dss
Approach pci- dssVikrant Burbure
 
The Future of Authentication for IoT
The Future of Authentication for IoTThe Future of Authentication for IoT
The Future of Authentication for IoTFIDO Alliance
 
WISekey presentation
WISekey presentation WISekey presentation
WISekey presentation Creus Moreira Carlos
 

Recommended

General discussion paper for airports
General discussion paper for airportsGeneral discussion paper for airports
General discussion paper for airportsRexcy
 
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNet
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNetPayment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNet
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNetSafeNet
 
Biometric Trends for 2017 Webinar
Biometric Trends for 2017 WebinarBiometric Trends for 2017 Webinar
Biometric Trends for 2017 WebinarVeridium
 
CPA - Introduction to Digital Identity - rev20171102
CPA - Introduction to Digital Identity - rev20171102CPA - Introduction to Digital Identity - rev20171102
CPA - Introduction to Digital Identity - rev20171102Jean-François LOMBARDO
 
Computer Security Test
Computer Security TestComputer Security Test
Computer Security Testkhant14
 
Approach pci- dss
Approach pci- dssApproach pci- dss
Approach pci- dssVikrant Burbure
 
The Future of Authentication for IoT
The Future of Authentication for IoTThe Future of Authentication for IoT
The Future of Authentication for IoTFIDO Alliance
 
WISekey presentation
WISekey presentation WISekey presentation
WISekey presentation Creus Moreira Carlos
 
raonsecure_en_min
raonsecure_en_minraonsecure_en_min
raonsecure_en_minMatthew Shin
 
Digital signature certificate
Digital signature certificateDigital signature certificate
Digital signature certificateAshvini Soni
 
Merchant Responsibilities According to the Payment Card Industry
Merchant Responsibilities According to the Payment Card IndustryMerchant Responsibilities According to the Payment Card Industry
Merchant Responsibilities According to the Payment Card IndustryAllied Wallet
 
EuroPriSe and ISDP 10003 2015
EuroPriSe and ISDP 10003 2015EuroPriSe and ISDP 10003 2015
EuroPriSe and ISDP 10003 2015Marco Moreschini
 
FIDO Authentication for Multifactor Payments
FIDO Authentication for Multifactor PaymentsFIDO Authentication for Multifactor Payments
FIDO Authentication for Multifactor PaymentsFIDO Alliance
 
Apani PCI-DSS Compliance
Apani PCI-DSS ComplianceApani PCI-DSS Compliance
Apani PCI-DSS ComplianceApani Enterprise Security Software
 
Experto
ExpertoExperto
Expertoidhmi
 
Privacy Preserving Biometrics-Based and User Centric Authentication Protocol
Privacy Preserving Biometrics-Based and User Centric Authentication ProtocolPrivacy Preserving Biometrics-Based and User Centric Authentication Protocol
Privacy Preserving Biometrics-Based and User Centric Authentication ProtocolHasiniG
 
Entrust Solutions Portfolio
Entrust Solutions PortfolioEntrust Solutions Portfolio
Entrust Solutions PortfolioEntrust Datacard
 
ISS SA le presenta IdentityGuard de Entrust
ISS SA le presenta IdentityGuard de EntrustISS SA le presenta IdentityGuard de Entrust
ISS SA le presenta IdentityGuard de EntrustInformation Security Services SA
 
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAINING
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAININGPCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAINING
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAININGhimalya sharma
 
Using ePassports for online authentication - ICT Delta 2010
Using ePassports for online authentication - ICT Delta 2010Using ePassports for online authentication - ICT Delta 2010
Using ePassports for online authentication - ICT Delta 2010wegdam
 
Protecting Payment Card Data Wp091010
Protecting Payment Card Data Wp091010Protecting Payment Card Data Wp091010
Protecting Payment Card Data Wp091010Erik Ginalick
 
Tizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.pptTizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.pptwebhostingguy
 
P0 Pcidss Overview
P0 Pcidss OverviewP0 Pcidss Overview
P0 Pcidss Overviewb28stu
 
Security
SecuritySecurity
SecurityBilcareltd
 
General discussion paper for airports
General discussion paper for airportsGeneral discussion paper for airports
General discussion paper for airportsChas Yap
 
Information technology-act 2000
Information technology-act 2000Information technology-act 2000
Information technology-act 2000Onkar Sule
 
Enisa report e idas compliant eid solution
Enisa report e idas compliant eid solutionEnisa report e idas compliant eid solution
Enisa report e idas compliant eid solutionAli Soleymani
 
Information-Technology-Act 2000- An overview-sethassociatesppt (1).ppt
Information-Technology-Act 2000- An overview-sethassociatesppt (1).pptInformation-Technology-Act 2000- An overview-sethassociatesppt (1).ppt
Information-Technology-Act 2000- An overview-sethassociatesppt (1).pptshahulgk
 
Information technology-act2000-120112080011-phpapp02 2
Information technology-act2000-120112080011-phpapp02 2Information technology-act2000-120112080011-phpapp02 2
Information technology-act2000-120112080011-phpapp02 2Suryadev Maity
 
ECIL: EU Cybersecurity Package and EU Certification Framework
ECIL: EU Cybersecurity Package and EU Certification FrameworkECIL: EU Cybersecurity Package and EU Certification Framework
ECIL: EU Cybersecurity Package and EU Certification FrameworkDeutsche Telekom AG
 

More Related Content

What's hot

Digital signature certificate
Digital signature certificateDigital signature certificate
Digital signature certificateAshvini Soni
 
Merchant Responsibilities According to the Payment Card Industry
Merchant Responsibilities According to the Payment Card IndustryMerchant Responsibilities According to the Payment Card Industry
Merchant Responsibilities According to the Payment Card IndustryAllied Wallet
 
EuroPriSe and ISDP 10003 2015
EuroPriSe and ISDP 10003 2015EuroPriSe and ISDP 10003 2015
EuroPriSe and ISDP 10003 2015Marco Moreschini
 
FIDO Authentication for Multifactor Payments
FIDO Authentication for Multifactor PaymentsFIDO Authentication for Multifactor Payments
FIDO Authentication for Multifactor PaymentsFIDO Alliance
 
Experto
ExpertoExperto
Expertoidhmi
 
Privacy Preserving Biometrics-Based and User Centric Authentication Protocol
Privacy Preserving Biometrics-Based and User Centric Authentication ProtocolPrivacy Preserving Biometrics-Based and User Centric Authentication Protocol
Privacy Preserving Biometrics-Based and User Centric Authentication ProtocolHasiniG
 
Entrust Solutions Portfolio
Entrust Solutions PortfolioEntrust Solutions Portfolio
Entrust Solutions PortfolioEntrust Datacard
 
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAINING
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAININGPCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAINING
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAININGhimalya sharma
 
Using ePassports for online authentication - ICT Delta 2010
Using ePassports for online authentication - ICT Delta 2010Using ePassports for online authentication - ICT Delta 2010
Using ePassports for online authentication - ICT Delta 2010wegdam
 
Protecting Payment Card Data Wp091010
Protecting Payment Card Data Wp091010Protecting Payment Card Data Wp091010
Protecting Payment Card Data Wp091010Erik Ginalick
 
Tizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.pptTizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.pptwebhostingguy
 
P0 Pcidss Overview
P0 Pcidss OverviewP0 Pcidss Overview
P0 Pcidss Overviewb28stu
 

What's hot (16)

raonsecure_en_min
raonsecure_en_minraonsecure_en_min
raonsecure_en_min
 
Digital signature certificate
Digital signature certificateDigital signature certificate
Digital signature certificate
 
Merchant Responsibilities According to the Payment Card Industry
Merchant Responsibilities According to the Payment Card IndustryMerchant Responsibilities According to the Payment Card Industry
Merchant Responsibilities According to the Payment Card Industry
 
EuroPriSe and ISDP 10003 2015
EuroPriSe and ISDP 10003 2015EuroPriSe and ISDP 10003 2015
EuroPriSe and ISDP 10003 2015
 
FIDO Authentication for Multifactor Payments
FIDO Authentication for Multifactor PaymentsFIDO Authentication for Multifactor Payments
FIDO Authentication for Multifactor Payments
 
Apani PCI-DSS Compliance
Apani PCI-DSS ComplianceApani PCI-DSS Compliance
Apani PCI-DSS Compliance
 
Experto
ExpertoExperto
Experto
 
Privacy Preserving Biometrics-Based and User Centric Authentication Protocol
Privacy Preserving Biometrics-Based and User Centric Authentication ProtocolPrivacy Preserving Biometrics-Based and User Centric Authentication Protocol
Privacy Preserving Biometrics-Based and User Centric Authentication Protocol
 
Entrust Solutions Portfolio
Entrust Solutions PortfolioEntrust Solutions Portfolio
Entrust Solutions Portfolio
 
ISS SA le presenta IdentityGuard de Entrust
ISS SA le presenta IdentityGuard de EntrustISS SA le presenta IdentityGuard de Entrust
ISS SA le presenta IdentityGuard de Entrust
 
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAINING
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAININGPCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAINING
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAINING
 
Using ePassports for online authentication - ICT Delta 2010
Using ePassports for online authentication - ICT Delta 2010Using ePassports for online authentication - ICT Delta 2010
Using ePassports for online authentication - ICT Delta 2010
 
Protecting Payment Card Data Wp091010
Protecting Payment Card Data Wp091010Protecting Payment Card Data Wp091010
Protecting Payment Card Data Wp091010
 
Tizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.pptTizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.ppt
 
P0 Pcidss Overview
P0 Pcidss OverviewP0 Pcidss Overview
P0 Pcidss Overview
 
Security
SecuritySecurity
Security
 

Similar to proposal on assessment of qualified signature creation devices compliant with #eIDAS

General discussion paper for airports
General discussion paper for airportsGeneral discussion paper for airports
General discussion paper for airportsChas Yap
 
Information technology-act 2000
Information technology-act 2000Information technology-act 2000
Information technology-act 2000Onkar Sule
 
Enisa report e idas compliant eid solution
Enisa report e idas compliant eid solutionEnisa report e idas compliant eid solution
Enisa report e idas compliant eid solutionAli Soleymani
 
Information-Technology-Act 2000- An overview-sethassociatesppt (1).ppt
Information-Technology-Act 2000- An overview-sethassociatesppt (1).pptInformation-Technology-Act 2000- An overview-sethassociatesppt (1).ppt
Information-Technology-Act 2000- An overview-sethassociatesppt (1).pptshahulgk
 
Information technology-act2000-120112080011-phpapp02 2
Information technology-act2000-120112080011-phpapp02 2Information technology-act2000-120112080011-phpapp02 2
Information technology-act2000-120112080011-phpapp02 2Suryadev Maity
 
ECIL: EU Cybersecurity Package and EU Certification Framework
ECIL: EU Cybersecurity Package and EU Certification FrameworkECIL: EU Cybersecurity Package and EU Certification Framework
ECIL: EU Cybersecurity Package and EU Certification FrameworkDeutsche Telekom AG
 
Information technology-act 2000- an overview-sethassociatesppt
Information technology-act 2000- an overview-sethassociatespptInformation technology-act 2000- an overview-sethassociatesppt
Information technology-act 2000- an overview-sethassociatespptSuvabrataSamanta
 
Information Technology Act 2000 An Overview
Information Technology Act 2000 An OverviewInformation Technology Act 2000 An Overview
Information Technology Act 2000 An OverviewAnubhav
 
MEDINA brochure 2023
MEDINA brochure 2023MEDINA brochure 2023
MEDINA brochure 2023MEDINA
 
eIDAS Reference Guide
eIDAS Reference GuideeIDAS Reference Guide
eIDAS Reference GuideSafeNet
 
Ethical hacking, the way to get product & solution confidence and trust in an...
Ethical hacking, the way to get product & solution confidence and trust in an...Ethical hacking, the way to get product & solution confidence and trust in an...
Ethical hacking, the way to get product & solution confidence and trust in an...Pierre-Jean Verrando
 
Information technology-act 2000- an overview-sethassociatesppt
Information technology-act 2000- an overview-sethassociatespptInformation technology-act 2000- an overview-sethassociatesppt
Information technology-act 2000- an overview-sethassociatespptDiya Mirza
 
PSD2 and the Cyber Security Related Challenges Facing the Financial Services ...
PSD2 and the Cyber Security Related Challenges Facing the Financial Services ...PSD2 and the Cyber Security Related Challenges Facing the Financial Services ...
PSD2 and the Cyber Security Related Challenges Facing the Financial Services ...Roderick Hodgson
 
Improving System Security and User Privacy in Secure Electronic Transaction (...
Improving System Security and User Privacy in Secure Electronic Transaction (...Improving System Security and User Privacy in Secure Electronic Transaction (...
Improving System Security and User Privacy in Secure Electronic Transaction (...IJERA Editor
 
case-study-on-digital-identity-swisscom-mobile-id_en
case-study-on-digital-identity-swisscom-mobile-id_encase-study-on-digital-identity-swisscom-mobile-id_en
case-study-on-digital-identity-swisscom-mobile-id_enAlix Murphy
 
Mobile_Security_En
Mobile_Security_EnMobile_Security_En
Mobile_Security_Ende77
 
FAD® | Autograph signature on electronic media
FAD® | Autograph signature on electronic mediaFAD® | Autograph signature on electronic media
FAD® | Autograph signature on electronic mediaFirma Autógrafa Digital
 
Fintech Belgium_Webinar 3: Cybersecurity / Covid-19: Home Working Challenge ...
Fintech Belgium_Webinar 3: Cybersecurity / Covid-19: Home Working Challenge ... Fintech Belgium_Webinar 3: Cybersecurity / Covid-19: Home Working Challenge ...
Fintech Belgium_Webinar 3: Cybersecurity / Covid-19: Home Working Challenge ...FinTech Belgium
 
Towards Continuous Security Compliance in the Cloud Continuum -MEDINA Project...
Towards Continuous Security Compliance in the Cloud Continuum -MEDINA Project...Towards Continuous Security Compliance in the Cloud Continuum -MEDINA Project...
Towards Continuous Security Compliance in the Cloud Continuum -MEDINA Project...MEDINA
 
An Integrated Solution for Runtime Compliance Governance in SOA
An Integrated Solution for Runtime Compliance Governance in SOAAn Integrated Solution for Runtime Compliance Governance in SOA
An Integrated Solution for Runtime Compliance Governance in SOAAliaksandr Birukou
 

Similar to proposal on assessment of qualified signature creation devices compliant with #eIDAS (20)

General discussion paper for airports
General discussion paper for airportsGeneral discussion paper for airports
General discussion paper for airports
 
Information technology-act 2000
Information technology-act 2000Information technology-act 2000
Information technology-act 2000
 
Enisa report e idas compliant eid solution
Enisa report e idas compliant eid solutionEnisa report e idas compliant eid solution
Enisa report e idas compliant eid solution
 
Information-Technology-Act 2000- An overview-sethassociatesppt (1).ppt
Information-Technology-Act 2000- An overview-sethassociatesppt (1).pptInformation-Technology-Act 2000- An overview-sethassociatesppt (1).ppt
Information-Technology-Act 2000- An overview-sethassociatesppt (1).ppt
 
Information technology-act2000-120112080011-phpapp02 2
Information technology-act2000-120112080011-phpapp02 2Information technology-act2000-120112080011-phpapp02 2
Information technology-act2000-120112080011-phpapp02 2
 
ECIL: EU Cybersecurity Package and EU Certification Framework
ECIL: EU Cybersecurity Package and EU Certification FrameworkECIL: EU Cybersecurity Package and EU Certification Framework
ECIL: EU Cybersecurity Package and EU Certification Framework
 
Information technology-act 2000- an overview-sethassociatesppt
Information technology-act 2000- an overview-sethassociatespptInformation technology-act 2000- an overview-sethassociatesppt
Information technology-act 2000- an overview-sethassociatesppt
 
Information Technology Act 2000 An Overview
Information Technology Act 2000 An OverviewInformation Technology Act 2000 An Overview
Information Technology Act 2000 An Overview
 
MEDINA brochure 2023
MEDINA brochure 2023MEDINA brochure 2023
MEDINA brochure 2023
 
eIDAS Reference Guide
eIDAS Reference GuideeIDAS Reference Guide
eIDAS Reference Guide
 
Ethical hacking, the way to get product & solution confidence and trust in an...
Ethical hacking, the way to get product & solution confidence and trust in an...Ethical hacking, the way to get product & solution confidence and trust in an...
Ethical hacking, the way to get product & solution confidence and trust in an...
 
Information technology-act 2000- an overview-sethassociatesppt
Information technology-act 2000- an overview-sethassociatespptInformation technology-act 2000- an overview-sethassociatesppt
Information technology-act 2000- an overview-sethassociatesppt
 
PSD2 and the Cyber Security Related Challenges Facing the Financial Services ...
PSD2 and the Cyber Security Related Challenges Facing the Financial Services ...PSD2 and the Cyber Security Related Challenges Facing the Financial Services ...
PSD2 and the Cyber Security Related Challenges Facing the Financial Services ...
 
Improving System Security and User Privacy in Secure Electronic Transaction (...
Improving System Security and User Privacy in Secure Electronic Transaction (...Improving System Security and User Privacy in Secure Electronic Transaction (...
Improving System Security and User Privacy in Secure Electronic Transaction (...
 
case-study-on-digital-identity-swisscom-mobile-id_en
case-study-on-digital-identity-swisscom-mobile-id_encase-study-on-digital-identity-swisscom-mobile-id_en
case-study-on-digital-identity-swisscom-mobile-id_en
 
Mobile_Security_En
Mobile_Security_EnMobile_Security_En
Mobile_Security_En
 
FAD® | Autograph signature on electronic media
FAD® | Autograph signature on electronic mediaFAD® | Autograph signature on electronic media
FAD® | Autograph signature on electronic media
 
Fintech Belgium_Webinar 3: Cybersecurity / Covid-19: Home Working Challenge ...
Fintech Belgium_Webinar 3: Cybersecurity / Covid-19: Home Working Challenge ... Fintech Belgium_Webinar 3: Cybersecurity / Covid-19: Home Working Challenge ...
Fintech Belgium_Webinar 3: Cybersecurity / Covid-19: Home Working Challenge ...
 
Towards Continuous Security Compliance in the Cloud Continuum -MEDINA Project...
Towards Continuous Security Compliance in the Cloud Continuum -MEDINA Project...Towards Continuous Security Compliance in the Cloud Continuum -MEDINA Project...
Towards Continuous Security Compliance in the Cloud Continuum -MEDINA Project...
 
An Integrated Solution for Runtime Compliance Governance in SOA
An Integrated Solution for Runtime Compliance Governance in SOAAn Integrated Solution for Runtime Compliance Governance in SOA
An Integrated Solution for Runtime Compliance Governance in SOA
 

More from Andrea Caccia

La PEC e l’Europa: quale evoluzione?
La PEC e l’Europa: quale evoluzione?La PEC e l’Europa: quale evoluzione?
La PEC e l’Europa: quale evoluzione?Andrea Caccia
 
CEN/TC 445 newsletter 2017-1
CEN/TC 445 newsletter 2017-1CEN/TC 445 newsletter 2017-1
CEN/TC 445 newsletter 2017-1Andrea Caccia
 
The adoption of e-invoicing in public procurement - Guidance paper for eu pub...
The adoption of e-invoicing in public procurement - Guidance paper for eu pub...The adoption of e-invoicing in public procurement - Guidance paper for eu pub...
The adoption of e-invoicing in public procurement - Guidance paper for eu pub...Andrea Caccia
 
Consulta Stati Generali dell'Innovazione
Consulta Stati Generali dell'InnovazioneConsulta Stati Generali dell'Innovazione
Consulta Stati Generali dell'InnovazioneAndrea Caccia
 
Sviluppo dello standard europeo per la "Core Invoice"
Sviluppo dello standard europeo per la "Core Invoice"Sviluppo dello standard europeo per la "Core Invoice"
Sviluppo dello standard europeo per la "Core Invoice"Andrea Caccia
 
I-AM Association 1p-1uid
I-AM Association 1p-1uidI-AM Association 1p-1uid
I-AM Association 1p-1uidAndrea Caccia
 

More from Andrea Caccia (6)

La PEC e l’Europa: quale evoluzione?
La PEC e l’Europa: quale evoluzione?La PEC e l’Europa: quale evoluzione?
La PEC e l’Europa: quale evoluzione?
 
CEN/TC 445 newsletter 2017-1
CEN/TC 445 newsletter 2017-1CEN/TC 445 newsletter 2017-1
CEN/TC 445 newsletter 2017-1
 
The adoption of e-invoicing in public procurement - Guidance paper for eu pub...
The adoption of e-invoicing in public procurement - Guidance paper for eu pub...The adoption of e-invoicing in public procurement - Guidance paper for eu pub...
The adoption of e-invoicing in public procurement - Guidance paper for eu pub...
 
Consulta Stati Generali dell'Innovazione
Consulta Stati Generali dell'InnovazioneConsulta Stati Generali dell'Innovazione
Consulta Stati Generali dell'Innovazione
 
Sviluppo dello standard europeo per la "Core Invoice"
Sviluppo dello standard europeo per la "Core Invoice"Sviluppo dello standard europeo per la "Core Invoice"
Sviluppo dello standard europeo per la "Core Invoice"
 
I-AM Association 1p-1uid
I-AM Association 1p-1uidI-AM Association 1p-1uid
I-AM Association 1p-1uid
 

Recently uploaded

Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Kaya Weers
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxfnnc6jmgwh
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationKnoldus Inc.
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterMydbops
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024TopCSSGallery
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkPixlogix Infotech
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 

Recently uploaded (20)

Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog Presentation
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App Framework
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 

proposal on assessment of qualified signature creation devices compliant with #eIDAS

  • 1. PkBox as simple and secure cloud electronic signature creation and validation solution Giuseppe Damiano CTO B.U. Products Intesi Group│ gdamiamo@intesigroup.com Andrea Caccia Consultant │ andrea.caccia@studiocaccia.com ETSI Security week │ eIDAS Thematic stream │ Sophia Antipolis 25 June 2015
  • 2. Intesi Group at a glance Intesi Group is an Italian private company that operates in the ICT industry offering specialized professional services, products with high technological content and advanced cloud solutions. Entirely self-funded, Intesi Group has been since 1998, when it was established, in steady and rapid growth. With 2014 revenues of EUR 10 million and more than 100 highly skilled professionals, Intesi Group is the ideal partner for those who want to integrate advanced technologies in a fast and reliable way. Specialized skills, established references and adherence to organizational models are the elements that distinguish Intesi Group. 2/12
  • 4. PkBox 3.0.3 – Architecture 4/12 PkBox COD Signature Engine Time4ID OTP Engine Sign Credentials Time4ID Seeds HSM Device #SecurityFirst Security of sensitive information ensured by Thales HSM Two Factor Authetication – HSM password and OTP validation Signature Keys and OTP Seeds are protected by the HSM
  • 5. PkBox: main features Milions of signature credentials and OTPs managed Performances: several hundreds of signatures/sec Scalability: load balancing and multi thier architectures High reliability: one central DB for all PkBox (SSCD) Easy to use: high level API Signature formats: CAdES, PAdES, XAdES, S/MIME, … Complete Validation Authority Functionalities Authentication OATH OTP (Time & Event based): Mobile App, Mobile SDK and SMS Multivendor OTP: Vasco, RSA, Safenet, Gemalto, McAfee 5/12
  • 7. Industries The first 3 most important Italian Banks (contracts signature, eInvoicing, …) 3 Italian Certification Authorities (Remote Signature Services) 2 Public Body Providers (eInvoicing) Several small and medium banks Universities Outsourcing services for banks Insurances 7/12 OnpremiseAsaservice
  • 8. Strengths Paperless Acceleration of all processes – above all new clients acqusition Costs saving Security Up to date platform 8/12
  • 9. PkBox in numbers 2 milion active users, distribuited as follow: 10 Banks 20 Universities 3 Certification Authorities 2 Outsourcing Services Companies 4 Insurances 10 Public Bodies 10 Manufactoring Enterprises 9/12
  • 10. PkBox was confirmed as SSCD and can be used to implement Remote Qualified Electronic Signature solutions PkBox has been confirmed as a Secure Signature Creation Device (SSCD) by A-SIT (Austria - Secure Information Technology Center) the body designated by Austria according to the Article 3(4) of the Directive 1999/93/EC to comply with the requirements set out in Annex III of the Directive and can therefore be used for the realization of Remote Qualified Electronic Signature solutions with full legal validity. The confirmation certificate is valid in all the member States of the European Union according to Article 3(4): "The conformity of secure signature-creation-devices with the requirements laid down in Annex III shall be determined by appropriate public or private bodies designated by Member States. [...] A determination of conformity with the requirements laid down in Annex III made by the bodies referred to in the first subparagraph shall be recognised by all Member States The eIDAS Regulation extends the validity of Article3(4) of the Directive 93/1999/93/EC after the its repeal. Article 51(1) reads: "Secure signature creation devices of which the conformity has been determined in accordance with Article 3(4) of Directive 1999/93/EC shall be considered as qualified electronic signature creation devices under this Regulation" 10/12
  • 11. The eIDAS Regulation recognizes the benefits of remote electronic signatures Recital (52): The creation of remote electronic signatures, where the electronic signature creation environment is managed by a trust service provider on behalf of the signatory, is set to increase in the light of its multiple economic benefits. However, in order to ensure that such electronic signatures receive the same legal recognition as electronic signatures created in an entirely user-managed environment, remote electronic signature service providers should apply specific management and administrative security procedures and use trustworthy systems and products, including secure electronic communication channels, in order to guarantee that the electronic signature creation environment is reliable and is used under the sole control of the signatory. Where a qualified electronic signature has been created using a remote electronic signature creation device, the requirements applicable to qualified trust service providers set out in this Regulation should apply. 11/12
  • 12. Requirements for Qualified remote electronic signature solutions from the eIDAS Regulation Recital 55 states that "IT security certification based on international standards such as ISO 15408 and related evaluation methods and mutual recognition arrangements is an important tool for verifying the security of qualified electronic signature creation devices and should be promoted" It should be read in combination with recital 52: "remote electronic signature service providers should apply specific management and administrative security procedures and use trustworthy systems and products, including secure electronic communication channels, in order to guarantee that the electronic signature creation environment is reliable and is used under the sole control of the signatory" According to article 30, the Certification of qualified electronic signature creation devices shall be based on a security evaluation process carried out in accordance with one of the standards for the security assessment of information technology products present in a list to be established by the Commission. 12/12
  • 13. Qualified remote electronic signature solutions under the eIDAS Regulation: a proposal A remote signature solution is in general the combination of software and an HSM hosted by a TSP. Our proposal is that the certification of the SSCD is a combination of: ISO 15408 certification of the HSM for Signatory key pair generation, storage and signature creation Define a specific qualification path for TSPs offering the service by developing a specific policy and security requirement standard, based on TS 419 241 (Security Requirements for Trustworthy Systems Supporting Server Signing) or its evolution, to be assessed by a Conformity Assessment Body accredited with EN 319 403 and under supervision 13/12
  • 14. Security Pill of the day 14/12 Security is an attitude: learn it with a game! www.catchergame.com
  • 15. Intesi Group S.p.A. Via Torino, 48 - 20123 Milano T. +39 02 6760641 www.intesigroup.com intesi@intesigroup.com