Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

eIDAS Reference Guide

9,071 views

Published on

An important part of eIDAS is to regulate electronic signature and ensure safe transactions online. By providing qualified electronic signature, Trust Service Providers allow both signatory and recipient a higher level of convenience and security. Use this guide to understand and navigate the regulation goals and benefits.

Published in: Technology
  • Be the first to comment

eIDAS Reference Guide

  1. 1. eIDAS European Regulation for eID and Trust Services for Electronic Transactions
  2. 2. Overview of eIDAS eIDAS Electronic Trust Services and types of digital signature Becoming an Qualified Trust Service Provider Meeting eIDAS use cases with Gemalto solutions Topics Covered 2 Security, convenience & mobility
  3. 3. What is eIDAS 3 Complying with eIDASS
  4. 4. What is eIDAS? 4 Source: The Authentication and Identity Management Index The Regulation of Electronic Identification and Trust Services for Electronic Transactions in the Internal market (eIDAS) is a European regulation aimed at creating a framework for cross- border electronic identification and transactions across EU member countries Complying with eIDASS
  5. 5. What are the goals of eIDAS? 5 Open up access to public services & ensure secure online transactions across borders of EU member countries Improve security and convenience when doing business online Encourage digital transaction growth and dematerialization Enable cross-border trust Complying with eIDASS
  6. 6. Primary Regulations of eIDAS? 6 EU Member States are required to mutually recognize each other’s electronic identification (eID) systems when accessing online services Electronic Trust Services (eTS), including electronic signatures, electronic seals, time stamps, electronic registered delivery service and website authentication, will work across borders and will have the same legal status as paper- based processes Interoperability of Government Issued ID Single Digital Market Complying with eIDASS
  7. 7. eIDAS Timeline 7 2014 2015 2016 2017 2018 2019 September 2014 - Entry into force of the Regulation September 2015 - Voluntary recognition of eIDs* 1st July 2016 - eIDAS Regulation replaces eSignature Directive ** September 2018 - Mandatory cross border recognition of eIDs ** •Certificates issued to natural persons under the eSignature Directive remain valid until expiry and •Certification Service Providers are allowed a 1 year time frame to submit a conformity assessment report and as consequence are considered as qualified Trust Service Providers under the new eIDAS regulation. *Adoption of 6 implementing acts on: •MS cooperation •Interoperability framework •eID levels of assurance •Formats of advanced electronic signature & seals •Technical specifications of the national trusted lists •EU Trust mark Complying with eIDASS
  8. 8. Electronic Trust Services 8 Complying with eIDASS
  9. 9. Electronic Trusted Services (eTS) Benefits 9 Improved customer experience Increase trust and confidence Efficiency—faster processes New business opportunities with cross-border reach Efficiency— paperless and error reduction Facilitate regulatory compliance Complying with eIDASS
  10. 10. Types of Electronic Trusted Services (eTS) 10 1 2 3 4 5 Issued to and used by legal persons to ensure origin and integrity of data /docs. NOT an eSignature of the legal person The date and time on an electronic document which proves that the document existed at a point-in-time and that it has not changed since then Storage and transfer of documents online. eIDAS sets the principle of non- discrimination of the legal effects and admissibility of electronic documents in legal proceedings The process of determining a person/entity's identity by using electronic means Infrastructure for the transfer of documents (or data) between two entities or systems electronically 6 Electronic Seals Time Stamps The electronic equivalent of a handwritten signature Electronic Documents eID Electronic Delivery Electronic Signature 7 Trusted information on a website (e.g. a certificate) which allows users to verify the authenticity of the website and its link to the entity or person behind the website.industry . Website Authentication Complying with eIDASS Electronic Signature 6
  11. 11. Types of Electronic Signature Defined by eIDAS 11 Standard Electronic Signatures Advanced Electronic Signatures (AdES)— Qualified Electronic Signatures (QES)— • Basic signatures in electronic form • eSignatures are recognized legally and can’t be denied legal acceptance, just because they are digital. • Require a higher level of security, typically met with certificate-based digital IDs, including, • unique identifying info that links to the signatory • signatory has sole control of data used to create signature • capable of identifying if data as been tampered • Based on qualified certificates that can only be issued by CA accredited and supervised by EU designated authorities • Qualified certificates must also be stored on a qualified signature creation device (QSCD), such as a USB token, smart card or HSM • In order to provide qualified eSignature services, a trust service provider must be granted qualified status Complying with eIDASS
  12. 12. eIDAS Electronic Signature Use Cases Security, convenience & mobility12 Local Signing Use Cases The user’s keys are held on a Qualified Signature Creation Devices (QSCDs) in the form of a eIDAS compliant smartcard or USB token. The user signs locally with the smart card or USB token. eIDAS specifies that the smart card or USB token used as the QSCD in local signing use cases has to be Common Criteria certified. Remote Use Cases The user’s keys are held securely inside a Hardware Security Module (HSM) attached to a signing server. The signer's key is held securely on a trusted server and generated remotely. The eIDAS regulation does NOT specify any standards relating to the HSM used in remote server signing.
  13. 13. Qualified Trusted Service Provider 13 Complying with eIDASS
  14. 14. 14 Qualified trust service providers render services which ensure a higher level of security. They comply with specific requirements as laid down in the Regulation and are submitted to an enhanced supervision mechanism. Complying with eIDASS Qualified Trust Service Provider What is a Qualified trust service provider? “ ”
  15. 15. 15 Only qualified trust service providers are part of the EU’s Trust List, which contains the providers and services that are given qualified status. If an entity is not on that list, they are not permitted to provide qualified trust services Because of stringent process to become a qualified trust service provider, the trust services they provide have a higher legal certainty and higher security of electronic transactions than non-qualified trust services Only qualified trust service providers may use the powerful Trust Mark to advertise or market their services Only qualified trust service providers have a standard level of security in Europe and comply with the requirements defined in the eIDAS Regulation Complying with eIDASS Benefits of Becoming a Qualified Trusted Service Provider
  16. 16. How to Become a Qualified Trust Service Provider (TSP) 16 Business needs to get an assessment report issued by an accredited conformity assessment body. This assessment will verify the business and the services it provides meet the requirements to be qualified. Trust Service Provider sends the report with letter of intent to the national supervisory body in the member state where the business is located. Supervisory body has three weeks to determine if the report proves compliance. If qualified status is granted, the Trust Service Provider, together with the qualified trust services it provides are added to the Trusted List. These Lists are established, published and maintained by the Member States. 1). Assessment 2). Approval 3). Trust List 4). Trust Mark After the Trust Service Provider is deemed Qualified, the Trust Mark is provided and clearly differentiates them from other trust services. Complying with eIDASS
  17. 17. Electronic Trust Services Use Cases 17 eHealth eTax Filing eBankingeProcurement ContractseEducation Complying with eIDASS The eIDAS single digital market will create an abundance of opportunities for qualified Trust Service Providers who can attract customers looking for the highest security channel available to conduct their business • eEducation: eIDAS simplifies access to public administrations, allowing students to complete foreign college applications without submitting in person. Student uses eID to authenticate, uses a digital signature to securely sign the application and the record is preserved digitally • eProcurement: With eIDAS, a cross border call for tenders is easier, allowing businesses to easily and securely respond to the request with a digital submission that includes electronic registered delivery, a time stamp to prove it was submitted on time, and eSignature to formalize • eTax: A citizen who moves from one EU country to another, can easily file the previous years’ taxes without traveling. eID is used to authenticate and digital signature securely files the taxes
  18. 18. Gemalto Solutions for eIDAS Compliance 18 Complying with eIDASS
  19. 19. Gemalto Solutions for eIDAS Electronic Signature Use Cases 19 Local Use Cases The eIDAS regulation requires CC certified smart cards for local or client-side digital signing use cases. Gemalto meets the requirements of the local signing use case with the IDPrime smart card family. Remote Use Cases The eIDAS regulation does NOT specify any standards relating to the HSM used in remote server signing, and it is up to individual countries to determine which certification is required. As such, suitability of Gemalto HSMs for use in remote signing use cases will depend on a per-country decision based on local legislation. For example, Poland is proposing using our HSMs as an SSCD.
  20. 20. Gemalto Compliant PKI Smart Cards for Local Signing Use Cases 20 IDPrime MD 840 and 3840 are PKI-based smart cards that address a wide range of use cases requiring PKI security, including secure access, email encryption, secure data storage, and digital signature. Both cards are common criteria certified and have the following features: • CC EAL5+ / PP Java Card certified for the java platform and CC EAL5+ / PP QSCD certified for the combination of Java platform plus PKI applet. The CC EAL5+ / PP QSCD certification is based on the Protection Profiles EN 419211 part 1 to 6, as mandated by eIDAS regulations • Enhanced cryptographic support with both RSA and elliptic curves The IDPrime MD 840 • Contact smart card IDPrime MD 3840 • Contactless smart card Complying with eIDASS
  21. 21. Common Criteria Security, convenience & mobility21 eIDAS and CC CC certification is a pre-requisite for qualified digital signatures under the eIDAS regulation What is Common Criteria (CC)? An international set of guidelines and specifications for evaluating information security products, specifically to ensure they meet an agreed-upon security standard for government deployments Key components of CC Protection Profiles and Evaluation Assurance Gemalto products IDPrime MD 840 and the IDPrime 3840 are both CC EAL5+ / PP Java Card certified for the Java platform and CC EAL5+ / PP QSCD certified for the combination of Java platform plus PKI applet. The CC EAL5+ / PP QSCD certification is based on the Protection Profiles EN 419211 part 1 to 6, as mandated by eIDAS regulations
  22. 22. Thank You! 22 Complying with eIDASS

×