SlideShare a Scribd company logo
1 of 99
Download to read offline
e-Signatures
for ZertES
and eIDAS
Welcome to the conference
30 March, 2017 @ Park Hyatt Zurich
Kaspar Loeb
Senior Consultant, lic. Iur.,
cr Kommunikation
With a degree of law from the university in Basle, Kaspar Loeb started his career in
journalism at Ringier School of Journalism.
In 2000 he joined DDB in Switzerland as CEO, became CEO of Publicis Switzerland in
2004 and was CEO of Saatchi & Saatchi Switzerland from January 2008 to September
2010. Today he is Senior Consultant at cR Communications in Zurich.
He is the author of numerous articles about communications, branding and reputations
issues. As the host of several IAA-Forums in Zurich he discussed hot communications
topics with internationally respected leaders. Kaspar Loeb is a regular guest as an expert
for all aspects of complex communications strategy at various Swiss TV-stations and
invited to Forums.
13.00 Registration
13.30 Key note: The spirit of innovation in electronic signatures
14.00 ZertES and eIDAS, the revised Swiss signature law and alignment work with eIDAS
14.20 Certificates, the trust anchor for your digitalisation strategy
14.40 A common security and authentication framework for multiple applications
15.20 CEN and ETSI standards and compliance
15.40 UBS Case study
16.10 Compliance and service certification
16.30 Panel Discussion and Q & A
17.00 Apero Riche
Agenda
Urs Paul Holenstein, Bundesamt fürJustiz
Urs Fischer, SwissSign
Urs Zurbuchen, Ergon Airlock
Nick Pope, ETSI and Thales
Ruediger Lobrinus and Philipp Kuhn, UBS
Urs Würgler and Reto Grubenmann, KPMG
Peter Landrock, Cryptomathic
Prof. Peter Landrock
Peter Landrock is an internationally renowned cryptography
expert and was instrumental in pioneering the concepts of secure
remote digital signatures and
(WYSIWYS).
Founder and Executive Chairman,
Cryptomathic
What You See Is What You Sign
The spirit of
innovation in
electronic signatures
Content
• Short history of e-signatures
• The non-repudiation challenge and the
What You See Is What You Sign (WYSIWYS) solution
• How to render electronic signature easy to use –
pioneering the concept of remote sole control
• Cryptomathic Signer to save money, digitalise and
improve customer experience
How did it all start?
• Driven by Europe and the EC in the late nineties
• Electronic, digital and advanced signatures
• Premature legislation
• The anticipation that chipcards would solve all problems
• The intention was good, but the execution was provided
by consultants, lacking experience
• As so often before
• And certainly not the last time
How did it all start
at Cryptomathic
• With invaluable experience, first of all
• The Danish government sponsored 9 pilots
• Cryptomathic participated in 3 of them
• The EC project SEMPER (Secure Electronic Marketplace for
Europe)
• Cryptomathic were a major partner
• We did not achieve a much as we had hoped, but we identified a lot
of issues
• Inspiration from customers, in particular SDC in Denmark
• Robert Elgaard, and a dinner with a nice bottle of Barolo in
Piemonte
The real challenges, and the
proposal for the solution?
• Challenges
• Non-repudiation in the legal sense, not just mathematical
• You do not really sign a document, you sign a hash value
• How do you secure that what you sign is the hash value of what you
intend to sign
• The concept WYSIWYS was born (1998, joint paper with our CTO, Dr
Torben Pedersen)
• The Proposed Solution
• Chipcards… but not many chipcard readers around
• We then asked:
• If you deposit your money, why not your secret key?
The Achilles heal of most PKI
solutions
• Revocation!
• A certificate purports to say something about the future
• But in fact only says something about the past, e.g. as a driver’s
license
• In the chipcard world, even if you revoke a certificate,
anybody with access to the chipcard with the
corresponding private key can go on generating digital
signatures
• Not so with a central signing
The Signer was born!
Pioneering the concept of
Remote Sole Control
• Signer
• You secret key is as secure in a vault somewhere as all your
other deposited assets
• It is at your sole control
• And if it is revoked no more signatures will be generated
• The access control can be as strong as you want it
• Many options
• WYSIWYS
• Which in a nutshell means that the semantic content of a
digitally signed message can not be changed, either by accident
or by intent
So security is as high as it
gets – what about the rest?
• The EIDAS legal framework can be fully exploited
• In fact, Cryptomathic Signer paved the way for new legislation
• The operational cost is absolutely minimal
• Hardly ever a need for support
• The sustainability is indisputable:
• No paper, no transport except electronically
• The user friendliness can be given top priority
• No hardware to install at the user end
• Security can be tailored to meet any need
And just for completeness
• The concept on the remote Signer earned us the
nomination at the World Economic Forum in Davos in
2003 as one of the most innovative companies in the
world of that year
• We have a number of patents
on our innovations
• Remote Signer
• WYSIWYS
• ……
Conclusion
To be one of the key initiators to this approach to e-
commerce and e-banking is probably the most useful thing
I ever did
And our excellent team will keep improving and enhancing for
the benefit of our customers and society
Product slides from
Guillaume Forget
What is Signer?
Input: Data to be signed
Output: Signed data (QES level)
In the middle: we provide the necessary technology for the
signing experience and can leverage the existing
environment and procedures (KYC, IdM, DMS, Auth
services/IdP etc.)
Trust in a 3-tier architecture
WYSIWYS Server
•Receiving doc from
trusted source
•Outputting signed
doc to trusted source
Client
•Displaying doc over
trusted viewing
•Ensuring user
commitment and sole
control
Signer
•Terminating user´s
sole control in SAM
•Managing user´s keys
•Verifying SAD and
validating IdP
authenticity
Where does Signer fit
WWW
Web Application
Firewall
CA Services
Cryptomathic
Signer
Cryptomathic
WYSIWYS Server
Document
Management
Service
Cryptomathic
Authenticator
Cryptomathic
Signer RA
Partner Portal
incl.
User management
End User
(signs documents from a regular
web browser or an app)
Second Authentication
(e.g. OTP, SMS, challenge-response)
Trust DomainPartner Domain Application DomainUser Domain
OCSP Responder
Time Stamping
Authority
Business Application Repository
Identity Provider
(SAML / OpenID
Connect)
Urs Paul Holenstein
Head of Legal Data Processing Unit,
Federal Office of Justice FOJ
Holenstein’s unit tracks and promotes the development of legal data processing
systems, is contact point for other departments’ questions on IT law, and in charge of
the FOJ's legal data processing projects especially relating to criminal registry,
electronic administrative processes, debt collection and bankruptcy, commercial, civil,
and land registries. It also represents FOJ's interests in federal legal data processing
projects and on specialist bodies.
He was responsible for the Revision of the Swiss signature law.
ZertES and eIDAS,
the revised Swiss signature
law and alignment work with
eIDAS
Eidgenössisches Justiz- und Polizeidepartement EJPD
Bundesamt für Justiz BJ
Fachbereich Rechtsinformatik
Sind ZertES und eIDAS (in)kompatibel ?
30. März 2017
Eidgenössisches Justiz- und Polizeidepartement EJPD
Bundesamt für Justiz BJ
Fachbereich Rechtsinformatik
23
• Am 28. März 2012 wurde das Vernehmlassungsverfahren zu einer
Totalrevision des Bundesgesetzes vom 19. Dezember 2003 über
Zertifizierungsdienste im Bereich der elektronischen Signatur
(ZertES; SR 943.03) eröffnet.
• Das ZertES soll ‚minimalinvasiv‘ totalrevidiert werden, ohne in das
Grundgerüst des ZertES und seiner Begrifflichkeit einzugreifen.
• Die europäischen Richtlinie 1999/93/EG über ‚gemeinschaftliche
Rahmenbedingungen für elektronische Signaturen‘ war auch für das
ZertES Richtschnur.
• Laufende Revisionsarbeiten der europäischen Signaturrichtlinie waren
bekannt.
Ausgangslage
Sind ZertES und eIDAS (in)kompatibel ? | e-Signatures for ZertES and eIDAS | 30. März 2017
Urs Paul Holenstein
Eidgenössisches Justiz- und Polizeidepartement EJPD
Bundesamt für Justiz BJ
Fachbereich Rechtsinformatik
24
• Am 4. Juni 2012 hat die Europäische Kommission den Vorschlag für eine
‚Verordnung über die elektronische Identifizierung und Vertrauensdienste für
elektronische Transaktionen im Binnenmarkt‘ zuhanden des Europäischen
Parlaments und des Rates verabschiedet.
• eIDAS-Verordnung: Verordnung (EU) Nr. 910/2014 des Europäischen
Parlaments und des Rates vom 23. Juli 2014 über elektronische Identifizierung
und Vertrauensdienste für elektronische Transaktionen im Binnenmarkt.
• Durchführungsrechtsakte: vgl. Amtsblatt der Europäischen Union L 235 vom
9. September 2015.
Ausgangslage
Sind ZertES und eIDAS (in)kompatibel ? | e-Signatures for ZertES and eIDAS | 30. März 2017
Urs Paul Holenstein
Eidgenössisches Justiz- und Polizeidepartement EJPD
Bundesamt für Justiz BJ
Fachbereich Rechtsinformatik
25
• Botschaft wurde vom Bundesrat am 15. Januar 2014 verabschiedet
(vgl. BBl 2014 1001). Diese
 enthält nebst der qualifizierten elektronischen Signatur auch die geregelte
elektronische Signatur, an die reduzierte Anforderungen gestellt werden;
 führt neu das geregelte elektronische Siegel ein, welches juristischen Personen
und Behörden zugänglich ist;
 schafft die Grundlage für die Regelung der sicheren Authentifikation mit
Zertifizierungsdienste-Produkten;
 vereinheitlicht in den Prozessordnungen des Bundes die Bestimmungen zum
elektronischen Rechtsverkehr inhaltlich und terminologisch so weit wie möglich.
Inhalt der ZertES-Totalrevision
Sind ZertES und eIDAS (in)kompatibel ? | e-Signatures for ZertES and eIDAS | 30. März 2017
Urs Paul Holenstein
Eidgenössisches Justiz- und Polizeidepartement EJPD
Bundesamt für Justiz BJ
Fachbereich Rechtsinformatik
26
• Nationalrat behandelt das Geschäft am 17. Dezember 2015 als Erstrat,
Ständerat folgte am 29. Februar 2016
• Auszug aus dem Votum von Nationalrat Yves Nidegger als Sprecher der
Rechtskommission des Nationalrates:
«Lorsque qu'un texte ne suscite pas le dépôt de propositions de minorité ni
d'avis contraires, c'est soit qu'il est parfait, soit qu'on ne l'a pas vraiment bien
compris.»
• Schlussabstimmung am 18. März 2016
• Detailinformation zur Parlamentarischen Beratung (vgl. Amtliches Bulletin)
• Publikation im Bundesblatt (vgl. BBl 2016 2021)
• Referendumsfrist läuft am 7. Juli 2016 ungenutzt ab
Ablauf der ZertES-Totalrevision
Sind ZertES und eIDAS (in)kompatibel ? | e-Signatures for ZertES and eIDAS | 30. März 2017
Urs Paul Holenstein
Eidgenössisches Justiz- und Polizeidepartement EJPD
Bundesamt für Justiz BJ
Fachbereich Rechtsinformatik
27
Die ZertES-Totalrevision
• ändert (fast) nichts bezüglich der qualifizierten elektronischen Signatur;
 Neuer Artikel 14 Absatz 2bis des Obligationenrechts:
Der eigenhändigen Unterschrift gleichgestellt ist die mit einem qualifizierten Zeitstempel
verbundene qualifizierte elektronische Signatur gemäss ZertES.
• schafft Grundlage für die Regelung der sicheren Authentifikation mit
Zertifizierungsdienste-Produkten;
• erfordert eine Anpassung verschiedener Ausführungsbestimmungen
(VZertES; TAV des BAKOM)
• tritt am 1. Januar 2017 in Kraft (BRB vom 23.11.2016).
Neuerungen der ZertES-Totalrevision
Sind ZertES und eIDAS (in)kompatibel ? | e-Signatures for ZertES and eIDAS | 30. März 2017
Urs Paul Holenstein
Eidgenössisches Justiz- und Polizeidepartement EJPD
Bundesamt für Justiz BJ
Fachbereich Rechtsinformatik
28
• eIDAS-Verordnung
 Teil 1: Elektronische Identifizierungsmittel
 Teil 2: Vertrauensdienste
 Elektronische Signaturen
 Elektronische Siegel
 Elektronische Zeitstempel
 Elektronische Zustelldienste
 Zertifikate zur Webseitenauthentifizierung
• ZertES und Ausführungsbestimmungen regeln den Bereich der
Vertrauensdienste (ohne Zustelldienste)
• Bundesrat eröffnet am 22. Februar 2017 die Vernehmlassung zum E-ID-Gesetz
Umfang von ZertES und eIDAS
Sind ZertES und eIDAS (in)kompatibel ? | e-Signatures for ZertES and eIDAS | 30. März 2017
Urs Paul Holenstein
Eidgenössisches Justiz- und Polizeidepartement EJPD
Bundesamt für Justiz BJ
Fachbereich Rechtsinformatik
29
• eIDAS-Verordnung ist seit dem 1. Juli 2016 in allen EU-Mitgliedstaaten direkt
anwendbar.
 Diskussion über Anpassungs- resp. Aufhebungsbedarf bei der nationalen
Gesetzgebung (z.B. in Deutschland).
• Umsetzung in der Schweiz ist erfolgt (ZertES) resp. hat begonnen
(E-ID-Gesetz, ERV-Obligatorium).
• ABER: Das totalrevidierte ZertES resp. das neue E-ID-Gesetz sind zwar
grundsätzlich eIDAS-kompatibel, entsprechende Anwendungen sind aber
ohne gegenseitige Anerkennung (bilateraler Vertrag mit der EU notwendig)
rechtlich praktisch wertlos oder zumindest nicht unproblematisch.
Bedeutung von ZertES und eIDAS
Sind ZertES und eIDAS (in)kompatibel ? | e-Signatures for ZertES and eIDAS | 30. März 2017
Urs Paul Holenstein
Eidgenössisches Justiz- und Polizeidepartement EJPD
Bundesamt für Justiz BJ
Fachbereich Rechtsinformatik
30
• ZertES und eIDAS-Verordnung bilden Rechtsrahmen, um auf die selben
technischen (ETSI)Normen verweisen zu können. Diese unterscheiden z.B.
vier Signaturformate:
 XAdES (XML Advanced Electronic Signatures)
 CAdES (CMS Advanced Electronic Signatures)
 PAdES (PDF Advanced Electronic Signatures)
 ASiC (Associated Signature Containers)
• Die EU verwendet eine andere Norm für die Signatur von PDF, bzw. PDF/A
Dokumenten als die Schweiz (und auch nicht einheitlich dieselbe Norm).
• validator.ch ist nicht in der Lage, Dokumente zu prüfen, die basierend auf
dieser Norm signiert wurden.
• Ausländische und EU-Zertifikate sind validator.ch sowieso unbekannt.
Sind ZertES und eIDAS (in)kompatibel ?
Sind ZertES und eIDAS (in)kompatibel ? | e-Signatures for ZertES and eIDAS | 30. März 2017
Urs Paul Holenstein
Urs Fischer
CEO
SwissSign
• Graduate in engineering and business administration
• My passion is to enable digital transformation
• My goal is to make technologies user-friendly
Certificates -
the trust anchor for your
digitalisation strategy
This is Lisa.
Shopping.
Banking.
Socialising.
She is living in a
digital world.
Trust as the Base.
• More and more digital processes enter in our world
• They allow for a variety of new services
• To make use of them we need trust.
• As trustet third parties do Certificate Authorities (CA) guarantee for
decades a trusted base for virtual services.
As a Certificate Authority, SwissSign does transform trust in digital
processes.
Trust Anchor.
• For companies and private persons SwissSign is the best trust anchor.
• This trust anchor is based on three pillars: emotion, processes and hightech.
• Trust is a value with more aspects than security.
• Swissness plays an important role but also reputation.
• As well as technologies and processes.
• And people standing up for security.
Our certificates make the trust anchor strong and stable.
Guarantor for Compliance.
• „Certificate Authorities“ are issuers of qualified digital certificates.
• They have to ensure that the necessary regulation requirements are fulfilled in
order to issue qualified certificates.
• A Certificate Authority is held liable for non-compliance to regulations by law.
• SwissSign offers know how, processes and technology to enable you to fulfill
the business AND compliance requirements.
Thus, SwissSign becomes a guarantor for compliace.
Your Trusted Partner for
Digital Identities
• 15 years experience with digital identities
• Covering both Swiss and European judicial areas
• Delivering a framework for enabling your identities for qualified signatures
within your business processes (e.g. RA delegation)
• Joint venture of Swiss Post and SBB
• Certified to ZertES, ETSI (eIDAS), FINMA-Outsourcing, ISO 27001
SwissSign loves to keep you safe!
Urs Zurbuchen
Engineer and consultant for design and implementation of IT security solutions, Urs
Zurbuchen brings more than 20 years of experience in Identity & Access
Management and web application security to the table. Bridging business and
security requirements, he strengthens our customers' digitalisation efforts and
enables them to focus on making their visions a reality.
Senior Security Consultant,
Ergon Airlock
A common security and
authentication framework for
multiple applications
• Re-use your digital signature infrastructure
• The transaction-oriented side of digital signatures
• Identity Management
On Track for Security
Airlock IAM is the suite's central authentication platform, including enterprise functions.
With this product, customers, partners or employees log in just once for secure access
to data and applications. Airlock IAM also automates user administration.
The talk shows how Airlock IAM goes beyond simple web authentication and
empowers your digital signature solution to provide new solutions.
Digitalisation
Processes
Identities
Authentication
Transactions
Verification
1
2
Requirements
Digital signature
infrastructure
User directory with
signature information
Self-services
Application integration
Identity Management
Self-service processes
Identity (self-)
registration
Token management
(activation, migration)
Bringing it all together
Beyond simple
web authentication
Nick Pope
Nick Pope is a principal consultant at Thales e-Security supporting their customers on
use of Thales’ hardware security modules in banking, governmental and commercial
sectors.
He has been involved in EU standards relating to electronic signatures for more than 15
years and before that development of X.509 standards in ISO.
Currently, Nick is chair of the ETSI steering group on signature creation and validation
and liaison representative on the CEN Working Group on signing devices.
Thales
Vice Chair, ETSI TC Electronic Signature & Infrastructures
CEN and ETSI standards and
compliance
eIDAS
“Levels” of Compliance Electronic Signature:
▌ Electronic Signature
 Anything which is used to sign
▌ Advanced Electronic Signature
 Electronic Signature with “sole control” properties such as provided by public
key technology
 TSP can offer what is considered current good practice but takes on liability
▌ Qualified Electronic Signature
 Advanced Electronic Signature which meets specific technical & security
requirements as specified in the regulation
 Supervisory authority confirms that TSP meets regulatory requirements
based on audit
 Option for “TSP” to hold key on behalf of “signatory”
eIDAS Standards Framework
eIDAS Standards Framework
Trust Services supporting signatures
National Guidelines
eIDAS Standards Framework
Advanced e-Signature / e-Seal Formats
Implementing
Decision
2015/1506
eIDAS Standards Framework
Trust Services supporting signatures
Implementing decision
2016/650
Implementing Decision 2016/650
on Qualified Signature / Seal Creation Devices
▌ Local signing (e.g. smart cards) reference made to:
Common Criteria evaluation standards
EN 419 211 – Protection Profiles for QSCD mainly applied to smart cards
▌ For Remote (centralised server) signing repeats statement from
eIDAS regulation that in the absence of standards QSCD can be
evaluated by national body using “comparable security levels”
Expect proposed draft standard (EN 419 241) current draft under evaluation
and formal review
Cloud Signing:
Basic Architecture
Standards for Cloud Signing
prEN 419 241-1
Security Requirement for
Trustworthy Systems
Supporting Server Signing
prEN 419 241-2
QSCD for
Server Signing
PP 419 211-5
Cryptographic Module
for Trust Services
Server Signing
▌ QSCD:
HSM + SAM
▌ Signature Activation
Module (SAM)
Checks the Signature
Activation Data (SAD) :
- User is authenticated
- The hash
- Key identifier
Uses a Cryptographic
Module (Crypto) for
signature operation
Thales nShield & eIDAS
▌ Current nShield has eIDAS certification
See: https://ec.europa.eu/futurium/en/content/
compilation-member-states-notification-sscds-and-qscds
▌ EN 419 221-5 Evaluation is in Progress
▌ CodeSafe within nShield
Provides protected environment to run protected code
Provides environment protection required by EN 419 241-2
nShield for Cloud Signing
SAM Crypto
CodeSafe
nShield
General Support for eIDAS
KYOS – Thales Partner in CH
Experts in Security, Networks and IT Services
Founded in 2002
Based in Geneva and St. Gallen
• Headquarter in Geneva with focus on Swiss Romand
• Branch Office in St.Gallen with focus on DACH region
KYOS Values
• Close to customers and strong reactivity
• Services oriented
• Professional ethics & modesty
KYOS:
Your Security and IT partner in Switzerland
Conclusions
▌ Draft Standard (EN 419 241) for Remote Signing under evaluation /
review
▌ The Cryptomathic solution, running on Thales nShield HSM, is
already closely aligned with the draft standards
▌ Expect draft standard to be accepted by nations as providing
“comparable security level” to smart card based solution
▌ Obtaining copies of standards:
For free download of ETSI standards: http://www.etsi.org/standards-search
For CEN standards access national standards organisation
63
CRYPTOMAThIC Case Study – UBS Electronic Signature
Rüdiger Lobrinus
Managing Director UBS Switzerland AG
Head - 1 Wealth Management Platform & Strategic
Platform Development
Rüdiger Lobrinus has joined the Multichannel Management &
Digitization (MM&D) department of UBS Switzerland AG in
May 2004 and amongst other duties, manages the Wealth
Management Online programme.
64
CRYPTOMAThIC Case Study – UBS Electronic Signature
Philipp Kuhn
Director UBS Switzerland AG
Business Project Manager Electronic Signature
Philipp Kuhn has joined the Wealth Management Online team
within Multichannel Management & Digitization (MM&D) in
February 2014, where he is leading the Electronic Signature
project as well as MIFID II.
<< Security Text>><< Security Text>>
CRYPTOMAThIC – Case
Study
UBS Electronic Signature
Public
March 30, 2017
Wealth Management Online
Bringing the UBS way to invest online
67
Basic products will be digital only, but advisory
services require seamless multichannel experience
10%
70%
In 5 yearsToday
Product distribution of simple products
(e.g. Cards and Accounts)
Source: McKinsey. Study in the US and Western Europe
Product distribution of complex products
(e.g. Investing and Mortgages)
45%
70%
In 5 yearsToday
Digital only
Multichannel
Branch only
68
Overview Wealth Management Online
UBS Advice UBS Manage
 Alerts
 Show-the-gap
 Close-the-gap
 Straight-through
processing
 Investment Strategy
explained
 Performance in context
 Stress scenarios
Auxiliary functions
CIO and ImpactPortfolio reporting
0000
Available on mobile Electronic Signature
69
Why e-signature and a focus on WM clients?
More convenience for client
&
Increased efficiency for the bank
 Wealth Management clients sign approximately 10 documents per annum
 Total of 2500 documents a client could sign
 Over 2.5 million signed documents per annum
70
Pre-requisites
UBS e-banking
1
Highest possible non-repudiation
2
No additional hardware requirements for client
3
Simple user experience (UX) and integrable in existing UBS processes
4
71
Request for proposal
In 2015…
Global request for
proposal
Contacted 20
companies
Company pitches
Detailed analysis
of offers
72
Vendor selection and implementation
General Contractor Certification Authority
Within one year and 3 months project was realized and rolled out to clients
inclusive the certification of OFCOM (SAS SECO), mandated to KPMG
Switzerland
+
73
Certification
Close collaboration / consultation with OFCOM / KPMG throughout
Includes UBS as a…
… signature generation service provider (SGSP) (incl. CEN 419.241:2014)
&
… registration authority (RA) delegated from SwissSign AG
74
Overall result
Swiss Bank that has integrated and
certified all relevant components for a
Qualified Electronic Signature
1st
Public
March 30, 2017
Agreements
The Electronic Signature via UBS e-banking
76
Goals & Advantages
Key advantages of using the 'Agreements' process
The 'Agreements' process is easy to use and has an extended range of benefits
Convenience, Security & Efficiency
Secure
transmission
Instant
availability
Legally
binding
CO² friendly
No mailing
expenses
Strong non-
repudiation
International
recognition
77
Agreements – the UBS electronic signature
admin work
Focus on:
Advising
clients
Reduction of:
78
HOW?
Some following slides have been removed as
they are confidential.
Please contact Philipp Kuhn if you have any
questions about his presentation.
79
Visit our UBS e-banking DEMO
…go to www.ubs.com/e-banking
80
Contact information
Rüdiger Lobrinus
8004 Zürich
Switzerland
Ruediger.Lobrinus@ubs.com
UBS Switzerland AG
Postfach
8098 Zürich
Tel. +41-44-237 83 50
www.ubs.com
Philipp Kuhn
8004 Zürich
Switzerland
Philipp.Kuhn@ubs.com
Urs Würgler
Urs has worked in IT Security for 16+ years focussing on cyber security from many
perspectives.
He is the deputy head of KPMG’s certification body where he increasingly leads
digitalization and security projects in the financial services space.
Manager, Cyber Security
KPMG
Compliance
and service
certification
Conference:
E-signatures for ZertES and eIDAS
30 March 2017
83
Document Classification: KPMG Confidential
© 2017 KPMG AG is a subsidiary of KPMG Holding AG, which is a member of the KPMG network of independent firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss legal entity. All rights reserved.
Agenda
Topics covered
Designing user registration
Key pain points
Achieving and maintaining certification
84
Document Classification: KPMG Confidential
© 2017 KPMG AG is a subsidiary of KPMG Holding AG, which is a member of the KPMG network of independent firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss legal entity. All rights reserved.
Designing user registration in compliance with good practice (I)
— ETSI EN standards (issued by the European Union)
— ZertES – Swiss law on the use of qualified digital
signatures (issued by the Federal Convention)
— VZertES – Swiss ordinance (issued by the
Federal Convention)
— TAV – Swiss regulation (issued by BAKOM)
Applicable laws and standards
— User identification
— User registration
— Documentation of registration / Archiving
— Certificate lifecycle
— Certificate revocation
Key controls
85
Document Classification: KPMG Confidential
© 2017 KPMG AG is a subsidiary of KPMG Holding AG, which is a member of the KPMG network of independent firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss legal entity. All rights reserved.
Necessary steps
Designing user registration in compliance with good practice (II)
(Prepare) productionChoose a TSP Gap Assessment Assessment response
0501 02 03 04
STEPSTEP STEP STEP STEP
Proof-of-Concept
Have RA Delegation
certified.
React to
recommendations
reported in the
certification.
Start on-boarding
new users.
Can the TSP support
your requirements?
Has it credentials for
similar projects?
Can the TSP propose
steps?
Is there already a on-
boarding process (e.g.
KYC-based in the
banking environment?)
Which legal requirements
may pose a problem?
Which processes need to
be changed?
Perform an internal risk
analysis.
Perform an in-depth
analysis of non-
conformities
Circle back with KPMG
regarding topics, which
are unclear in the law.
Design the target
environment.
Have it verified by the
TSP.
Perform a service
decomposition.
Implement the
Proof-of-Concept.
86
Document Classification: KPMG Confidential
© 2017 KPMG AG is a subsidiary of KPMG Holding AG, which is a member of the KPMG network of independent firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss legal entity. All rights reserved.
Important topics to consider
Existing users
User identification – which documents are supported by law?
Expired identity documents
Ambiguity imposed by law or standards
Key pain points
87
Document Classification: KPMG Confidential
© 2017 KPMG AG is a subsidiary of KPMG Holding AG, which is a member of the KPMG network of independent firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss legal entity. All rights reserved.© 2017 KPMG AG is a subsidiary of KPMG Holding AG, which is a member of the KPMG network of independent firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss legal entity. All rights reserved.
Document Classification: KPMG Confidential
Requirement at the regulation level
— VZertES Art. 5 reads
— «The recognized providers must require the
persons who request a regulated certificate
to present a passport, a Swiss identity card
or an identity card approved for entry
into Switzerland.»
Implementation in practice
— The State Secretariat for Migration (SEM)
maintains the relevant list of identity
documents.
— The list is long and complex.
Considerations regarding user identification (I)
List of travel Documents
Alphabetical list countries
A B C D F G H I J K L M N O P Q R S T U V W X Y Z
Version of 1 January 2017
Source: https://www.sem.admin.ch/sem/en/home/publiservice/weisungen-kreisschreiben/visa/liste1_staatsangehoerigkeit/leg_reisedoks.html
88
Document Classification: KPMG Confidential
© 2017 KPMG AG is a subsidiary of KPMG Holding AG, which is a member of the KPMG network of independent firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss legal entity. All rights reserved.
The big picture
Considerations regarding user identification (III)
Schengen countries
— Passport and IDs are accepted. No visa required.
Third-country nationals
— The validity of the travel document must extend at least three months after the intended date of
departure from the Schengen Area;
— and the travel document must have been issued within the previous 10 years
Special cases
— Palestine is not recognized by Switzerland
— Several countries may become Schengen member states in the foreseeable future
A
B
C
89
Document Classification: KPMG Confidential
© 2017 KPMG AG is a subsidiary of KPMG Holding AG, which is a member of the KPMG network of independent firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss legal entity. All rights reserved.
Supporting existing users
— A significant number of users was identified in
the past.
— Users cannot be subjected to be identified again.
Assumptions
— How many users are in scope?
— Are all details of identification
requirements known?
— How difficult is it to determine non-
compatible identifications?
— How are incompatible identifications dealt with?
Questions to ask
90
Document Classification: KPMG Confidential
© 2017 KPMG AG is a subsidiary of KPMG Holding AG, which is a member of the KPMG network of independent firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss legal entity. All rights reserved.
BAKOM message
— «Expired identification documents cannot be used to identify a user in a QES (Qualified Electronic
Signature) context»
Reacting to this requirement
— Start with new users only.
— Establish which percentage of registered users has used an expired identity document.
— Calculate the approximate number of concerned users.
— Decide how to process users with incompatible identifications
- One outcome may be that these users are not given the opportunity to digitally sign.
- It may be possible to re-register users.
A special case – Expired identity documents
91
Document Classification: KPMG Confidential
© 2017 KPMG AG is a subsidiary of KPMG Holding AG, which is a member of the KPMG network of independent firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss legal entity. All rights reserved.
Ambiguity imposed by laws or standards
The problem
— Laws are updated infrequently and lag behind technical advancement.
— Standards may provide more details but are usually not concise in all aspects.
Clarifying the situation
— KPMG is often approached to comment on laws and standards.
— We frequently interface with authorities, which appreciate specialist questions (e.g. BAKOM).
— It is often a necessity to request a written statement from such an authority.
— We cannot interface with authorities, which do not further comment on laws (e.g. EJPD).
92
Document Classification: KPMG Confidential
© 2017 KPMG AG is a subsidiary of KPMG Holding AG, which is a member of the KPMG network of independent firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss legal entity. All rights reserved.
Achieving and maintaining certification (I)
Who must be certified?
In a QES context the TSP
(Trust Service Provider) must
be certified using a PKI
certification scheme.
Why is certification required?
According to ZertES (Art. 17) an
issuer of qualified certificates
must be certified.
ZertES (Art. 18) states that the
certification body is liable if
damages occur because the
certification body did not conform
to its duties phrased in the law.
The only way for KPMG to prove
that it lives up to its duties is by
performing a certification audit.
Why should this concern an
end-user organization?
If identification / registration
processes take place within the
end-user organization then
these processes are part of the
certification («Delegation of
Registration Authority (RA)
processes to the end-user
organization»).
The TSP must have a proof
indicating that the RA
processes work as required.
93
Document Classification: KPMG Confidential
© 2017 KPMG AG is a subsidiary of KPMG Holding AG, which is a member of the KPMG network of independent firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss legal entity. All rights reserved.
Achieving and maintaining certification (II)
What is the result
of achieved
certification?
— An achieved certification demonstrates that the certified entity is
compliant with both national law and applicable standards.
— Certification is required
— For inclusion in certificate store programs maintained by companies
such as
- Adobe
- Apple
- Google
- Microsoft
94
Document Classification: KPMG Confidential
© 2017 KPMG AG is a subsidiary of KPMG Holding AG, which is a member of the KPMG network of independent firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss legal entity. All rights reserved.© 2017 KPMG AG is a subsidiary of KPMG Holding AG, which is a member of the KPMG network of independent firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss legal entity. All rights reserved.
Document Classification: KPMG Confidential
Achieving and maintaining certification (III)
1. National bodies/laws (e.g. ZertES)
2. International standards
3. Maintainers of certificate stores
Who defines how often
certification needs to take place?
We want to be
judged by the
outcomes
Companies such as Google may
- Have requirements that go beyond
those phrased in standards
- Require a particular rhythm for
certification
Why is this important?
We want to be
judged by the
outcomes
Questions?
Document Classification: KPMG Confidential
© 2017 KPMG AG is a subsidiary of KPMG Holding AG, which is a member of the KPMG network of independent firms
affiliated with KPMG International Cooperative (“KPMG International”), a Swiss legal entity. All rights reserved.
The KPMG name and logo are registered trademarks or trademarks of KPMG International.
The information contained herein is of a general nature and is not intended to address the circumstances of any particular
individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such
information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on
such information without appropriate professional advice after a thorough examination of the particular situation.
kpmg.com/socialmedia kpmg.com/app
Panel discussion
“The future of electronic
signatures”
Questions
and
Answers
Thank you for joining our conference
30 March, 2017 @ Park Hyatt Zurich
e-Signatures
for ZertES
and eIDAS

More Related Content

What's hot

1. PCI Compliance Overview
1. PCI Compliance Overview1. PCI Compliance Overview
1. PCI Compliance Overviewokrantz
 
Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032PECB
 
How an online payment gateway works
How an online payment gateway worksHow an online payment gateway works
How an online payment gateway worksIkajo International
 
UKCCC: Open Banking Introduction
UKCCC: Open Banking IntroductionUKCCC: Open Banking Introduction
UKCCC: Open Banking IntroductionFreddy Kelly
 
03 regulatory landscape&amp;regtech
03 regulatory landscape&amp;regtech03 regulatory landscape&amp;regtech
03 regulatory landscape&amp;regtechinnov-acts-ltd
 
Digital wallets, Electronic Wallet, E Wallet In India
Digital wallets, Electronic Wallet, E Wallet In IndiaDigital wallets, Electronic Wallet, E Wallet In India
Digital wallets, Electronic Wallet, E Wallet In IndiaSesameindia Pvt Ltd
 
The Path to Open Banking
The Path to Open BankingThe Path to Open Banking
The Path to Open BankingMuleSoft
 
Third Party Due Diligence - Know Your Third Party - EY India
Third Party Due Diligence - Know Your Third Party - EY IndiaThird Party Due Diligence - Know Your Third Party - EY India
Third Party Due Diligence - Know Your Third Party - EY IndiaErnst & Young
 
Formation sur la monétique
Formation sur la monétiqueFormation sur la monétique
Formation sur la monétiqueONGRegCaeli
 
Chapter 1.
Chapter 1.Chapter 1.
Chapter 1.Thane
 
Online payment system
Online payment systemOnline payment system
Online payment systemmyangel27
 
FESE Capital Markets Academy - Introduction to Capital Markets
FESE Capital Markets Academy - Introduction to Capital MarketsFESE Capital Markets Academy - Introduction to Capital Markets
FESE Capital Markets Academy - Introduction to Capital MarketsStephenGilmore10
 

What's hot (20)

1. PCI Compliance Overview
1. PCI Compliance Overview1. PCI Compliance Overview
1. PCI Compliance Overview
 
Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032
 
Due diligence
Due diligenceDue diligence
Due diligence
 
How an online payment gateway works
How an online payment gateway worksHow an online payment gateway works
How an online payment gateway works
 
UKCCC: Open Banking Introduction
UKCCC: Open Banking IntroductionUKCCC: Open Banking Introduction
UKCCC: Open Banking Introduction
 
03 regulatory landscape&amp;regtech
03 regulatory landscape&amp;regtech03 regulatory landscape&amp;regtech
03 regulatory landscape&amp;regtech
 
Digital wallets, Electronic Wallet, E Wallet In India
Digital wallets, Electronic Wallet, E Wallet In IndiaDigital wallets, Electronic Wallet, E Wallet In India
Digital wallets, Electronic Wallet, E Wallet In India
 
An Introduction to Open Banking (PSD2)
An Introduction to Open Banking (PSD2)An Introduction to Open Banking (PSD2)
An Introduction to Open Banking (PSD2)
 
EMV chip cards
EMV chip cardsEMV chip cards
EMV chip cards
 
The Path to Open Banking
The Path to Open BankingThe Path to Open Banking
The Path to Open Banking
 
Third Party Due Diligence - Know Your Third Party - EY India
Third Party Due Diligence - Know Your Third Party - EY IndiaThird Party Due Diligence - Know Your Third Party - EY India
Third Party Due Diligence - Know Your Third Party - EY India
 
Mobile Payment fraud & risk assessment
Mobile Payment fraud & risk assessmentMobile Payment fraud & risk assessment
Mobile Payment fraud & risk assessment
 
Formation sur la monétique
Formation sur la monétiqueFormation sur la monétique
Formation sur la monétique
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
PCI DSS 3.2
PCI DSS 3.2PCI DSS 3.2
PCI DSS 3.2
 
Chapter 1.
Chapter 1.Chapter 1.
Chapter 1.
 
Online payment system
Online payment systemOnline payment system
Online payment system
 
Credit Card Issuers
Credit Card IssuersCredit Card Issuers
Credit Card Issuers
 
FESE Capital Markets Academy - Introduction to Capital Markets
FESE Capital Markets Academy - Introduction to Capital MarketsFESE Capital Markets Academy - Introduction to Capital Markets
FESE Capital Markets Academy - Introduction to Capital Markets
 
PCI-DSS_Overview
PCI-DSS_OverviewPCI-DSS_Overview
PCI-DSS_Overview
 

Similar to 2017.03.30 - e-Signatures Conference for ZertES and eIDAS

How do you secure an electronic signature?
How do you secure an electronic signature?How do you secure an electronic signature?
How do you secure an electronic signature?XeniT Solutions nv
 
IBM Bluemix Nice Meetup #4-20170302 6 Meetup @INRIA - BlockChain
IBM Bluemix Nice Meetup #4-20170302 6 Meetup @INRIA - BlockChainIBM Bluemix Nice Meetup #4-20170302 6 Meetup @INRIA - BlockChain
IBM Bluemix Nice Meetup #4-20170302 6 Meetup @INRIA - BlockChainIBM France Lab
 
Digital signatures, paving the way to a digital Europe_Arthur D Little_2014
Digital signatures, paving the way to a digital Europe_Arthur D Little_2014Digital signatures, paving the way to a digital Europe_Arthur D Little_2014
Digital signatures, paving the way to a digital Europe_Arthur D Little_2014Market Engel SAS
 
ETDA Conference - Digital signatures: how it's done in PDF
ETDA Conference - Digital signatures: how it's done in PDFETDA Conference - Digital signatures: how it's done in PDF
ETDA Conference - Digital signatures: how it's done in PDFiText Group nv
 
Digital Signatures: how it's done in PDF
Digital Signatures: how it's done in PDFDigital Signatures: how it's done in PDF
Digital Signatures: how it's done in PDFiText Group nv
 
DIGITAL SIGNATURE PPT
DIGITAL SIGNATURE PPTDIGITAL SIGNATURE PPT
DIGITAL SIGNATURE PPTRajanGoyal16
 
Securing eHealth, eGovernment and eBanking with Java - JCON Conference
 Securing eHealth, eGovernment and eBanking with Java - JCON Conference Securing eHealth, eGovernment and eBanking with Java - JCON Conference
Securing eHealth, eGovernment and eBanking with Java - JCON ConferenceThodoris Bais
 
Securing eHealth, eGovernment and eBanking with Java - IT-Tage 2020 Conference
Securing eHealth, eGovernment and eBanking with Java - IT-Tage 2020 ConferenceSecuring eHealth, eGovernment and eBanking with Java - IT-Tage 2020 Conference
Securing eHealth, eGovernment and eBanking with Java - IT-Tage 2020 ConferenceThodoris Bais
 
Conférence - Digital Identity and Blockchain - #ACSS2019
Conférence - Digital Identity and Blockchain - #ACSS2019Conférence - Digital Identity and Blockchain - #ACSS2019
Conférence - Digital Identity and Blockchain - #ACSS2019African Cyber Security Summit
 
ComsignTrust Overview
ComsignTrust OverviewComsignTrust Overview
ComsignTrust OverviewChen Feran
 
ComsignTrust Overview
ComsignTrust OverviewComsignTrust Overview
ComsignTrust OverviewZeev Shetach
 
Cisco on Distributed Ledgers & Blockchain
Cisco on Distributed Ledgers & BlockchainCisco on Distributed Ledgers & Blockchain
Cisco on Distributed Ledgers & BlockchainMatteo Masi
 

Similar to 2017.03.30 - e-Signatures Conference for ZertES and eIDAS (20)

How do you secure an electronic signature?
How do you secure an electronic signature?How do you secure an electronic signature?
How do you secure an electronic signature?
 
Cloud signature chatbot
Cloud signature chatbotCloud signature chatbot
Cloud signature chatbot
 
Cloud signature chatbot
Cloud signature chatbotCloud signature chatbot
Cloud signature chatbot
 
Session 1. e-ID_esign
Session 1. e-ID_esignSession 1. e-ID_esign
Session 1. e-ID_esign
 
IBM Bluemix Nice Meetup #4-20170302 6 Meetup @INRIA - BlockChain
IBM Bluemix Nice Meetup #4-20170302 6 Meetup @INRIA - BlockChainIBM Bluemix Nice Meetup #4-20170302 6 Meetup @INRIA - BlockChain
IBM Bluemix Nice Meetup #4-20170302 6 Meetup @INRIA - BlockChain
 
Digital signatures, paving the way to a digital Europe_Arthur D Little_2014
Digital signatures, paving the way to a digital Europe_Arthur D Little_2014Digital signatures, paving the way to a digital Europe_Arthur D Little_2014
Digital signatures, paving the way to a digital Europe_Arthur D Little_2014
 
ETDA Conference - Digital signatures: how it's done in PDF
ETDA Conference - Digital signatures: how it's done in PDFETDA Conference - Digital signatures: how it's done in PDF
ETDA Conference - Digital signatures: how it's done in PDF
 
Cryptography
CryptographyCryptography
Cryptography
 
E lock digital signatures
E lock digital signaturesE lock digital signatures
E lock digital signatures
 
Digital Signatures: how it's done in PDF
Digital Signatures: how it's done in PDFDigital Signatures: how it's done in PDF
Digital Signatures: how it's done in PDF
 
DIGITAL SIGNATURE PPT
DIGITAL SIGNATURE PPTDIGITAL SIGNATURE PPT
DIGITAL SIGNATURE PPT
 
Securing eHealth, eGovernment and eBanking with Java - JCON Conference
 Securing eHealth, eGovernment and eBanking with Java - JCON Conference Securing eHealth, eGovernment and eBanking with Java - JCON Conference
Securing eHealth, eGovernment and eBanking with Java - JCON Conference
 
Digital signature
Digital signatureDigital signature
Digital signature
 
Securing eHealth, eGovernment and eBanking with Java - IT-Tage 2020 Conference
Securing eHealth, eGovernment and eBanking with Java - IT-Tage 2020 ConferenceSecuring eHealth, eGovernment and eBanking with Java - IT-Tage 2020 Conference
Securing eHealth, eGovernment and eBanking with Java - IT-Tage 2020 Conference
 
Conférence - Digital Identity and Blockchain - #ACSS2019
Conférence - Digital Identity and Blockchain - #ACSS2019Conférence - Digital Identity and Blockchain - #ACSS2019
Conférence - Digital Identity and Blockchain - #ACSS2019
 
Digital Signature.pptx
Digital Signature.pptxDigital Signature.pptx
Digital Signature.pptx
 
ComsignTrust Overview
ComsignTrust OverviewComsignTrust Overview
ComsignTrust Overview
 
ComsignTrust Overview
ComsignTrust OverviewComsignTrust Overview
ComsignTrust Overview
 
Cisco on Distributed Ledgers & Blockchain
Cisco on Distributed Ledgers & BlockchainCisco on Distributed Ledgers & Blockchain
Cisco on Distributed Ledgers & Blockchain
 
Digital signatur
Digital signaturDigital signatur
Digital signatur
 

More from Kyos

Cloud Security - Prenez le virage du cloud en gardant le contrôle de vos donn...
Cloud Security - Prenez le virage du cloud en gardant le contrôle de vos donn...Cloud Security - Prenez le virage du cloud en gardant le contrôle de vos donn...
Cloud Security - Prenez le virage du cloud en gardant le contrôle de vos donn...Kyos
 
1. Intro - Prenez le virage du cloud en gardant le contrôle de vos données – ...
1. Intro - Prenez le virage du cloud en gardant le contrôle de vos données – ...1. Intro - Prenez le virage du cloud en gardant le contrôle de vos données – ...
1. Intro - Prenez le virage du cloud en gardant le contrôle de vos données – ...Kyos
 
Introspect event - 5 Juillet 2018 - Kyos threat challenges
Introspect event - 5 Juillet 2018 - Kyos threat challengesIntrospect event - 5 Juillet 2018 - Kyos threat challenges
Introspect event - 5 Juillet 2018 - Kyos threat challengesKyos
 
RGPD/ LPD : Sécuriser l’accès aux données personnelles, un premier pas vers l...
RGPD/ LPD : Sécuriser l’accès aux données personnelles, un premier pas vers l...RGPD/ LPD : Sécuriser l’accès aux données personnelles, un premier pas vers l...
RGPD/ LPD : Sécuriser l’accès aux données personnelles, un premier pas vers l...Kyos
 
21.06.2017 - KYOS Breakfast Event
21.06.2017 - KYOS Breakfast Event 21.06.2017 - KYOS Breakfast Event
21.06.2017 - KYOS Breakfast Event Kyos
 
Détecter et neutraliser efficacement les cybermenaces !
Détecter et neutraliser efficacement les cybermenaces !Détecter et neutraliser efficacement les cybermenaces !
Détecter et neutraliser efficacement les cybermenaces !Kyos
 
Web Application Firewall : une nouvelle génération indispensable ?
Web Application Firewall : une nouvelle génération indispensable ?Web Application Firewall : une nouvelle génération indispensable ?
Web Application Firewall : une nouvelle génération indispensable ?Kyos
 
Ensemble fortifions la chaîne de défense
Ensemble fortifions la chaîne de défenseEnsemble fortifions la chaîne de défense
Ensemble fortifions la chaîne de défenseKyos
 
Echecs et hack
Echecs et hackEchecs et hack
Echecs et hackKyos
 
Simplifiez la sécurisation de vos données par chiffrement transparent
Simplifiez la sécurisation de vos données par chiffrement transparentSimplifiez la sécurisation de vos données par chiffrement transparent
Simplifiez la sécurisation de vos données par chiffrement transparentKyos
 
Gestion des accès privilégiés : Améliorez votre sécurité avec Wallix Admin Ba...
Gestion des accès privilégiés : Améliorez votre sécurité avec Wallix Admin Ba...Gestion des accès privilégiés : Améliorez votre sécurité avec Wallix Admin Ba...
Gestion des accès privilégiés : Améliorez votre sécurité avec Wallix Admin Ba...Kyos
 
Simplifiez et automatisez la gestion de votre Active Directory avec Adaxes
Simplifiez et automatisez la gestion de votre Active Directory avec AdaxesSimplifiez et automatisez la gestion de votre Active Directory avec Adaxes
Simplifiez et automatisez la gestion de votre Active Directory avec AdaxesKyos
 
Collaborez, communiquez avec les solutions Mitel
Collaborez, communiquez avec les solutions MitelCollaborez, communiquez avec les solutions Mitel
Collaborez, communiquez avec les solutions MitelKyos
 
La nouvelle équipe Kyos vous souhaite une année 2014 étincelante !!!
La nouvelle équipe Kyos vous souhaite une année 2014 étincelante !!!La nouvelle équipe Kyos vous souhaite une année 2014 étincelante !!!
La nouvelle équipe Kyos vous souhaite une année 2014 étincelante !!!Kyos
 
2013.06.20 - évènement Kyos-Spacecom - 04_Les nouvelles recettes du sans-fil
2013.06.20 - évènement Kyos-Spacecom - 04_Les nouvelles recettes du sans-fil2013.06.20 - évènement Kyos-Spacecom - 04_Les nouvelles recettes du sans-fil
2013.06.20 - évènement Kyos-Spacecom - 04_Les nouvelles recettes du sans-filKyos
 
2013.06.20 - évènement Kyos-Spacecom - 02_Émulsion de nos nouvelles molécules IT
2013.06.20 - évènement Kyos-Spacecom - 02_Émulsion de nos nouvelles molécules IT2013.06.20 - évènement Kyos-Spacecom - 02_Émulsion de nos nouvelles molécules IT
2013.06.20 - évènement Kyos-Spacecom - 02_Émulsion de nos nouvelles molécules ITKyos
 
2013.06.20 - évènement Kyos-Spacecom - 01_Avant-goût du futur de Kyos et Spac...
2013.06.20 - évènement Kyos-Spacecom - 01_Avant-goût du futur de Kyos et Spac...2013.06.20 - évènement Kyos-Spacecom - 01_Avant-goût du futur de Kyos et Spac...
2013.06.20 - évènement Kyos-Spacecom - 01_Avant-goût du futur de Kyos et Spac...Kyos
 

More from Kyos (17)

Cloud Security - Prenez le virage du cloud en gardant le contrôle de vos donn...
Cloud Security - Prenez le virage du cloud en gardant le contrôle de vos donn...Cloud Security - Prenez le virage du cloud en gardant le contrôle de vos donn...
Cloud Security - Prenez le virage du cloud en gardant le contrôle de vos donn...
 
1. Intro - Prenez le virage du cloud en gardant le contrôle de vos données – ...
1. Intro - Prenez le virage du cloud en gardant le contrôle de vos données – ...1. Intro - Prenez le virage du cloud en gardant le contrôle de vos données – ...
1. Intro - Prenez le virage du cloud en gardant le contrôle de vos données – ...
 
Introspect event - 5 Juillet 2018 - Kyos threat challenges
Introspect event - 5 Juillet 2018 - Kyos threat challengesIntrospect event - 5 Juillet 2018 - Kyos threat challenges
Introspect event - 5 Juillet 2018 - Kyos threat challenges
 
RGPD/ LPD : Sécuriser l’accès aux données personnelles, un premier pas vers l...
RGPD/ LPD : Sécuriser l’accès aux données personnelles, un premier pas vers l...RGPD/ LPD : Sécuriser l’accès aux données personnelles, un premier pas vers l...
RGPD/ LPD : Sécuriser l’accès aux données personnelles, un premier pas vers l...
 
21.06.2017 - KYOS Breakfast Event
21.06.2017 - KYOS Breakfast Event 21.06.2017 - KYOS Breakfast Event
21.06.2017 - KYOS Breakfast Event
 
Détecter et neutraliser efficacement les cybermenaces !
Détecter et neutraliser efficacement les cybermenaces !Détecter et neutraliser efficacement les cybermenaces !
Détecter et neutraliser efficacement les cybermenaces !
 
Web Application Firewall : une nouvelle génération indispensable ?
Web Application Firewall : une nouvelle génération indispensable ?Web Application Firewall : une nouvelle génération indispensable ?
Web Application Firewall : une nouvelle génération indispensable ?
 
Ensemble fortifions la chaîne de défense
Ensemble fortifions la chaîne de défenseEnsemble fortifions la chaîne de défense
Ensemble fortifions la chaîne de défense
 
Echecs et hack
Echecs et hackEchecs et hack
Echecs et hack
 
Simplifiez la sécurisation de vos données par chiffrement transparent
Simplifiez la sécurisation de vos données par chiffrement transparentSimplifiez la sécurisation de vos données par chiffrement transparent
Simplifiez la sécurisation de vos données par chiffrement transparent
 
Gestion des accès privilégiés : Améliorez votre sécurité avec Wallix Admin Ba...
Gestion des accès privilégiés : Améliorez votre sécurité avec Wallix Admin Ba...Gestion des accès privilégiés : Améliorez votre sécurité avec Wallix Admin Ba...
Gestion des accès privilégiés : Améliorez votre sécurité avec Wallix Admin Ba...
 
Simplifiez et automatisez la gestion de votre Active Directory avec Adaxes
Simplifiez et automatisez la gestion de votre Active Directory avec AdaxesSimplifiez et automatisez la gestion de votre Active Directory avec Adaxes
Simplifiez et automatisez la gestion de votre Active Directory avec Adaxes
 
Collaborez, communiquez avec les solutions Mitel
Collaborez, communiquez avec les solutions MitelCollaborez, communiquez avec les solutions Mitel
Collaborez, communiquez avec les solutions Mitel
 
La nouvelle équipe Kyos vous souhaite une année 2014 étincelante !!!
La nouvelle équipe Kyos vous souhaite une année 2014 étincelante !!!La nouvelle équipe Kyos vous souhaite une année 2014 étincelante !!!
La nouvelle équipe Kyos vous souhaite une année 2014 étincelante !!!
 
2013.06.20 - évènement Kyos-Spacecom - 04_Les nouvelles recettes du sans-fil
2013.06.20 - évènement Kyos-Spacecom - 04_Les nouvelles recettes du sans-fil2013.06.20 - évènement Kyos-Spacecom - 04_Les nouvelles recettes du sans-fil
2013.06.20 - évènement Kyos-Spacecom - 04_Les nouvelles recettes du sans-fil
 
2013.06.20 - évènement Kyos-Spacecom - 02_Émulsion de nos nouvelles molécules IT
2013.06.20 - évènement Kyos-Spacecom - 02_Émulsion de nos nouvelles molécules IT2013.06.20 - évènement Kyos-Spacecom - 02_Émulsion de nos nouvelles molécules IT
2013.06.20 - évènement Kyos-Spacecom - 02_Émulsion de nos nouvelles molécules IT
 
2013.06.20 - évènement Kyos-Spacecom - 01_Avant-goût du futur de Kyos et Spac...
2013.06.20 - évènement Kyos-Spacecom - 01_Avant-goût du futur de Kyos et Spac...2013.06.20 - évènement Kyos-Spacecom - 01_Avant-goût du futur de Kyos et Spac...
2013.06.20 - évènement Kyos-Spacecom - 01_Avant-goût du futur de Kyos et Spac...
 

Recently uploaded

Reggie miller choke t shirtsReggie miller choke t shirts
Reggie miller choke t shirtsReggie miller choke t shirtsReggie miller choke t shirtsReggie miller choke t shirts
Reggie miller choke t shirtsReggie miller choke t shirtsrahman018755
 
原版定制美国加州大学河滨分校毕业证原件一模一样
原版定制美国加州大学河滨分校毕业证原件一模一样原版定制美国加州大学河滨分校毕业证原件一模一样
原版定制美国加州大学河滨分校毕业证原件一模一样A
 
一比一定制(Temasek毕业证书)新加坡淡马锡理工学院毕业证学位证书
一比一定制(Temasek毕业证书)新加坡淡马锡理工学院毕业证学位证书一比一定制(Temasek毕业证书)新加坡淡马锡理工学院毕业证学位证书
一比一定制(Temasek毕业证书)新加坡淡马锡理工学院毕业证学位证书B
 
100^%)( POLOKWANE))(*((+27838792658))*))௹ )Abortion Pills for Sale in Sibasa,...
100^%)( POLOKWANE))(*((+27838792658))*))௹ )Abortion Pills for Sale in Sibasa,...100^%)( POLOKWANE))(*((+27838792658))*))௹ )Abortion Pills for Sale in Sibasa,...
100^%)( POLOKWANE))(*((+27838792658))*))௹ )Abortion Pills for Sale in Sibasa,...musaddumba454
 
一比一原版(Bath毕业证书)英国桑德兰大学毕业证如何办理
一比一原版(Bath毕业证书)英国桑德兰大学毕业证如何办理一比一原版(Bath毕业证书)英国桑德兰大学毕业证如何办理
一比一原版(Bath毕业证书)英国桑德兰大学毕业证如何办理B
 
一比一原版布兰迪斯大学毕业证如何办理
一比一原版布兰迪斯大学毕业证如何办理一比一原版布兰迪斯大学毕业证如何办理
一比一原版布兰迪斯大学毕业证如何办理A
 
一比一原版(PSU毕业证书)美国宾州州立大学毕业证如何办理
一比一原版(PSU毕业证书)美国宾州州立大学毕业证如何办理一比一原版(PSU毕业证书)美国宾州州立大学毕业证如何办理
一比一原版(PSU毕业证书)美国宾州州立大学毕业证如何办理Fir
 
The Rise of Subscription-Based Digital Services.pdf
The Rise of Subscription-Based Digital Services.pdfThe Rise of Subscription-Based Digital Services.pdf
The Rise of Subscription-Based Digital Services.pdfe-Market Hub
 
TORTOGEL TELAH MENJADI SALAH SATU PLATFORM PERMAINAN PALING FAVORIT.
TORTOGEL TELAH MENJADI SALAH SATU PLATFORM PERMAINAN PALING FAVORIT.TORTOGEL TELAH MENJADI SALAH SATU PLATFORM PERMAINAN PALING FAVORIT.
TORTOGEL TELAH MENJADI SALAH SATU PLATFORM PERMAINAN PALING FAVORIT.Tortogel
 
一比一原版(UWE毕业证书)西英格兰大学毕业证原件一模一样
一比一原版(UWE毕业证书)西英格兰大学毕业证原件一模一样一比一原版(UWE毕业证书)西英格兰大学毕业证原件一模一样
一比一原版(UWE毕业证书)西英格兰大学毕业证原件一模一样Fi
 
Free scottie t shirts Free scottie t shirts
Free scottie t shirts Free scottie t shirtsFree scottie t shirts Free scottie t shirts
Free scottie t shirts Free scottie t shirtsrahman018755
 
APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC Updates presented by Paul Wilson at  CaribNOG 27APNIC Updates presented by Paul Wilson at  CaribNOG 27
APNIC Updates presented by Paul Wilson at CaribNOG 27APNIC
 
一比一定制加州大学欧文分校毕业证学位证书
一比一定制加州大学欧文分校毕业证学位证书一比一定制加州大学欧文分校毕业证学位证书
一比一定制加州大学欧文分校毕业证学位证书A
 
Discovering OfficialUSA.com Your Go-To Resource.pdf
Discovering OfficialUSA.com Your Go-To Resource.pdfDiscovering OfficialUSA.com Your Go-To Resource.pdf
Discovering OfficialUSA.com Your Go-To Resource.pdfSadaf Khan
 
Production 2024 sunderland culture final - Copy.pptx
Production 2024 sunderland culture final - Copy.pptxProduction 2024 sunderland culture final - Copy.pptx
Production 2024 sunderland culture final - Copy.pptxChloeMeadows1
 
一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样
一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样
一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样AS
 
Premier Mobile App Development Agency in USA.pdf
Premier Mobile App Development Agency in USA.pdfPremier Mobile App Development Agency in USA.pdf
Premier Mobile App Development Agency in USA.pdfappinfoedgeca
 
原版定制(Management毕业证书)新加坡管理大学毕业证原件一模一样
原版定制(Management毕业证书)新加坡管理大学毕业证原件一模一样原版定制(Management毕业证书)新加坡管理大学毕业证原件一模一样
原版定制(Management毕业证书)新加坡管理大学毕业证原件一模一样asdafd
 
Free on Wednesdays T Shirts Free on Wednesdays Sweatshirts
Free on Wednesdays T Shirts Free on Wednesdays SweatshirtsFree on Wednesdays T Shirts Free on Wednesdays Sweatshirts
Free on Wednesdays T Shirts Free on Wednesdays Sweatshirtsrahman018755
 
一比一原版(Design毕业证书)新加坡科技设计大学毕业证原件一模一样
一比一原版(Design毕业证书)新加坡科技设计大学毕业证原件一模一样一比一原版(Design毕业证书)新加坡科技设计大学毕业证原件一模一样
一比一原版(Design毕业证书)新加坡科技设计大学毕业证原件一模一样AS
 

Recently uploaded (20)

Reggie miller choke t shirtsReggie miller choke t shirts
Reggie miller choke t shirtsReggie miller choke t shirtsReggie miller choke t shirtsReggie miller choke t shirts
Reggie miller choke t shirtsReggie miller choke t shirts
 
原版定制美国加州大学河滨分校毕业证原件一模一样
原版定制美国加州大学河滨分校毕业证原件一模一样原版定制美国加州大学河滨分校毕业证原件一模一样
原版定制美国加州大学河滨分校毕业证原件一模一样
 
一比一定制(Temasek毕业证书)新加坡淡马锡理工学院毕业证学位证书
一比一定制(Temasek毕业证书)新加坡淡马锡理工学院毕业证学位证书一比一定制(Temasek毕业证书)新加坡淡马锡理工学院毕业证学位证书
一比一定制(Temasek毕业证书)新加坡淡马锡理工学院毕业证学位证书
 
100^%)( POLOKWANE))(*((+27838792658))*))௹ )Abortion Pills for Sale in Sibasa,...
100^%)( POLOKWANE))(*((+27838792658))*))௹ )Abortion Pills for Sale in Sibasa,...100^%)( POLOKWANE))(*((+27838792658))*))௹ )Abortion Pills for Sale in Sibasa,...
100^%)( POLOKWANE))(*((+27838792658))*))௹ )Abortion Pills for Sale in Sibasa,...
 
一比一原版(Bath毕业证书)英国桑德兰大学毕业证如何办理
一比一原版(Bath毕业证书)英国桑德兰大学毕业证如何办理一比一原版(Bath毕业证书)英国桑德兰大学毕业证如何办理
一比一原版(Bath毕业证书)英国桑德兰大学毕业证如何办理
 
一比一原版布兰迪斯大学毕业证如何办理
一比一原版布兰迪斯大学毕业证如何办理一比一原版布兰迪斯大学毕业证如何办理
一比一原版布兰迪斯大学毕业证如何办理
 
一比一原版(PSU毕业证书)美国宾州州立大学毕业证如何办理
一比一原版(PSU毕业证书)美国宾州州立大学毕业证如何办理一比一原版(PSU毕业证书)美国宾州州立大学毕业证如何办理
一比一原版(PSU毕业证书)美国宾州州立大学毕业证如何办理
 
The Rise of Subscription-Based Digital Services.pdf
The Rise of Subscription-Based Digital Services.pdfThe Rise of Subscription-Based Digital Services.pdf
The Rise of Subscription-Based Digital Services.pdf
 
TORTOGEL TELAH MENJADI SALAH SATU PLATFORM PERMAINAN PALING FAVORIT.
TORTOGEL TELAH MENJADI SALAH SATU PLATFORM PERMAINAN PALING FAVORIT.TORTOGEL TELAH MENJADI SALAH SATU PLATFORM PERMAINAN PALING FAVORIT.
TORTOGEL TELAH MENJADI SALAH SATU PLATFORM PERMAINAN PALING FAVORIT.
 
一比一原版(UWE毕业证书)西英格兰大学毕业证原件一模一样
一比一原版(UWE毕业证书)西英格兰大学毕业证原件一模一样一比一原版(UWE毕业证书)西英格兰大学毕业证原件一模一样
一比一原版(UWE毕业证书)西英格兰大学毕业证原件一模一样
 
Free scottie t shirts Free scottie t shirts
Free scottie t shirts Free scottie t shirtsFree scottie t shirts Free scottie t shirts
Free scottie t shirts Free scottie t shirts
 
APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC Updates presented by Paul Wilson at  CaribNOG 27APNIC Updates presented by Paul Wilson at  CaribNOG 27
APNIC Updates presented by Paul Wilson at CaribNOG 27
 
一比一定制加州大学欧文分校毕业证学位证书
一比一定制加州大学欧文分校毕业证学位证书一比一定制加州大学欧文分校毕业证学位证书
一比一定制加州大学欧文分校毕业证学位证书
 
Discovering OfficialUSA.com Your Go-To Resource.pdf
Discovering OfficialUSA.com Your Go-To Resource.pdfDiscovering OfficialUSA.com Your Go-To Resource.pdf
Discovering OfficialUSA.com Your Go-To Resource.pdf
 
Production 2024 sunderland culture final - Copy.pptx
Production 2024 sunderland culture final - Copy.pptxProduction 2024 sunderland culture final - Copy.pptx
Production 2024 sunderland culture final - Copy.pptx
 
一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样
一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样
一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样
 
Premier Mobile App Development Agency in USA.pdf
Premier Mobile App Development Agency in USA.pdfPremier Mobile App Development Agency in USA.pdf
Premier Mobile App Development Agency in USA.pdf
 
原版定制(Management毕业证书)新加坡管理大学毕业证原件一模一样
原版定制(Management毕业证书)新加坡管理大学毕业证原件一模一样原版定制(Management毕业证书)新加坡管理大学毕业证原件一模一样
原版定制(Management毕业证书)新加坡管理大学毕业证原件一模一样
 
Free on Wednesdays T Shirts Free on Wednesdays Sweatshirts
Free on Wednesdays T Shirts Free on Wednesdays SweatshirtsFree on Wednesdays T Shirts Free on Wednesdays Sweatshirts
Free on Wednesdays T Shirts Free on Wednesdays Sweatshirts
 
一比一原版(Design毕业证书)新加坡科技设计大学毕业证原件一模一样
一比一原版(Design毕业证书)新加坡科技设计大学毕业证原件一模一样一比一原版(Design毕业证书)新加坡科技设计大学毕业证原件一模一样
一比一原版(Design毕业证书)新加坡科技设计大学毕业证原件一模一样
 

2017.03.30 - e-Signatures Conference for ZertES and eIDAS

  • 1. e-Signatures for ZertES and eIDAS Welcome to the conference 30 March, 2017 @ Park Hyatt Zurich
  • 2. Kaspar Loeb Senior Consultant, lic. Iur., cr Kommunikation With a degree of law from the university in Basle, Kaspar Loeb started his career in journalism at Ringier School of Journalism. In 2000 he joined DDB in Switzerland as CEO, became CEO of Publicis Switzerland in 2004 and was CEO of Saatchi & Saatchi Switzerland from January 2008 to September 2010. Today he is Senior Consultant at cR Communications in Zurich. He is the author of numerous articles about communications, branding and reputations issues. As the host of several IAA-Forums in Zurich he discussed hot communications topics with internationally respected leaders. Kaspar Loeb is a regular guest as an expert for all aspects of complex communications strategy at various Swiss TV-stations and invited to Forums.
  • 3. 13.00 Registration 13.30 Key note: The spirit of innovation in electronic signatures 14.00 ZertES and eIDAS, the revised Swiss signature law and alignment work with eIDAS 14.20 Certificates, the trust anchor for your digitalisation strategy 14.40 A common security and authentication framework for multiple applications 15.20 CEN and ETSI standards and compliance 15.40 UBS Case study 16.10 Compliance and service certification 16.30 Panel Discussion and Q & A 17.00 Apero Riche Agenda Urs Paul Holenstein, Bundesamt fürJustiz Urs Fischer, SwissSign Urs Zurbuchen, Ergon Airlock Nick Pope, ETSI and Thales Ruediger Lobrinus and Philipp Kuhn, UBS Urs Würgler and Reto Grubenmann, KPMG Peter Landrock, Cryptomathic
  • 4. Prof. Peter Landrock Peter Landrock is an internationally renowned cryptography expert and was instrumental in pioneering the concepts of secure remote digital signatures and (WYSIWYS). Founder and Executive Chairman, Cryptomathic What You See Is What You Sign
  • 5. The spirit of innovation in electronic signatures
  • 6. Content • Short history of e-signatures • The non-repudiation challenge and the What You See Is What You Sign (WYSIWYS) solution • How to render electronic signature easy to use – pioneering the concept of remote sole control • Cryptomathic Signer to save money, digitalise and improve customer experience
  • 7. How did it all start? • Driven by Europe and the EC in the late nineties • Electronic, digital and advanced signatures • Premature legislation • The anticipation that chipcards would solve all problems • The intention was good, but the execution was provided by consultants, lacking experience • As so often before • And certainly not the last time
  • 8. How did it all start at Cryptomathic • With invaluable experience, first of all • The Danish government sponsored 9 pilots • Cryptomathic participated in 3 of them • The EC project SEMPER (Secure Electronic Marketplace for Europe) • Cryptomathic were a major partner • We did not achieve a much as we had hoped, but we identified a lot of issues • Inspiration from customers, in particular SDC in Denmark • Robert Elgaard, and a dinner with a nice bottle of Barolo in Piemonte
  • 9. The real challenges, and the proposal for the solution? • Challenges • Non-repudiation in the legal sense, not just mathematical • You do not really sign a document, you sign a hash value • How do you secure that what you sign is the hash value of what you intend to sign • The concept WYSIWYS was born (1998, joint paper with our CTO, Dr Torben Pedersen) • The Proposed Solution • Chipcards… but not many chipcard readers around • We then asked: • If you deposit your money, why not your secret key?
  • 10. The Achilles heal of most PKI solutions • Revocation! • A certificate purports to say something about the future • But in fact only says something about the past, e.g. as a driver’s license • In the chipcard world, even if you revoke a certificate, anybody with access to the chipcard with the corresponding private key can go on generating digital signatures • Not so with a central signing
  • 11. The Signer was born!
  • 12. Pioneering the concept of Remote Sole Control • Signer • You secret key is as secure in a vault somewhere as all your other deposited assets • It is at your sole control • And if it is revoked no more signatures will be generated • The access control can be as strong as you want it • Many options • WYSIWYS • Which in a nutshell means that the semantic content of a digitally signed message can not be changed, either by accident or by intent
  • 13. So security is as high as it gets – what about the rest? • The EIDAS legal framework can be fully exploited • In fact, Cryptomathic Signer paved the way for new legislation • The operational cost is absolutely minimal • Hardly ever a need for support • The sustainability is indisputable: • No paper, no transport except electronically • The user friendliness can be given top priority • No hardware to install at the user end • Security can be tailored to meet any need
  • 14. And just for completeness • The concept on the remote Signer earned us the nomination at the World Economic Forum in Davos in 2003 as one of the most innovative companies in the world of that year • We have a number of patents on our innovations • Remote Signer • WYSIWYS • ……
  • 15. Conclusion To be one of the key initiators to this approach to e- commerce and e-banking is probably the most useful thing I ever did And our excellent team will keep improving and enhancing for the benefit of our customers and society
  • 17. What is Signer? Input: Data to be signed Output: Signed data (QES level) In the middle: we provide the necessary technology for the signing experience and can leverage the existing environment and procedures (KYC, IdM, DMS, Auth services/IdP etc.)
  • 18. Trust in a 3-tier architecture WYSIWYS Server •Receiving doc from trusted source •Outputting signed doc to trusted source Client •Displaying doc over trusted viewing •Ensuring user commitment and sole control Signer •Terminating user´s sole control in SAM •Managing user´s keys •Verifying SAD and validating IdP authenticity
  • 19. Where does Signer fit WWW Web Application Firewall CA Services Cryptomathic Signer Cryptomathic WYSIWYS Server Document Management Service Cryptomathic Authenticator Cryptomathic Signer RA Partner Portal incl. User management End User (signs documents from a regular web browser or an app) Second Authentication (e.g. OTP, SMS, challenge-response) Trust DomainPartner Domain Application DomainUser Domain OCSP Responder Time Stamping Authority Business Application Repository Identity Provider (SAML / OpenID Connect)
  • 20. Urs Paul Holenstein Head of Legal Data Processing Unit, Federal Office of Justice FOJ Holenstein’s unit tracks and promotes the development of legal data processing systems, is contact point for other departments’ questions on IT law, and in charge of the FOJ's legal data processing projects especially relating to criminal registry, electronic administrative processes, debt collection and bankruptcy, commercial, civil, and land registries. It also represents FOJ's interests in federal legal data processing projects and on specialist bodies. He was responsible for the Revision of the Swiss signature law.
  • 21. ZertES and eIDAS, the revised Swiss signature law and alignment work with eIDAS
  • 22. Eidgenössisches Justiz- und Polizeidepartement EJPD Bundesamt für Justiz BJ Fachbereich Rechtsinformatik Sind ZertES und eIDAS (in)kompatibel ? 30. März 2017
  • 23. Eidgenössisches Justiz- und Polizeidepartement EJPD Bundesamt für Justiz BJ Fachbereich Rechtsinformatik 23 • Am 28. März 2012 wurde das Vernehmlassungsverfahren zu einer Totalrevision des Bundesgesetzes vom 19. Dezember 2003 über Zertifizierungsdienste im Bereich der elektronischen Signatur (ZertES; SR 943.03) eröffnet. • Das ZertES soll ‚minimalinvasiv‘ totalrevidiert werden, ohne in das Grundgerüst des ZertES und seiner Begrifflichkeit einzugreifen. • Die europäischen Richtlinie 1999/93/EG über ‚gemeinschaftliche Rahmenbedingungen für elektronische Signaturen‘ war auch für das ZertES Richtschnur. • Laufende Revisionsarbeiten der europäischen Signaturrichtlinie waren bekannt. Ausgangslage Sind ZertES und eIDAS (in)kompatibel ? | e-Signatures for ZertES and eIDAS | 30. März 2017 Urs Paul Holenstein
  • 24. Eidgenössisches Justiz- und Polizeidepartement EJPD Bundesamt für Justiz BJ Fachbereich Rechtsinformatik 24 • Am 4. Juni 2012 hat die Europäische Kommission den Vorschlag für eine ‚Verordnung über die elektronische Identifizierung und Vertrauensdienste für elektronische Transaktionen im Binnenmarkt‘ zuhanden des Europäischen Parlaments und des Rates verabschiedet. • eIDAS-Verordnung: Verordnung (EU) Nr. 910/2014 des Europäischen Parlaments und des Rates vom 23. Juli 2014 über elektronische Identifizierung und Vertrauensdienste für elektronische Transaktionen im Binnenmarkt. • Durchführungsrechtsakte: vgl. Amtsblatt der Europäischen Union L 235 vom 9. September 2015. Ausgangslage Sind ZertES und eIDAS (in)kompatibel ? | e-Signatures for ZertES and eIDAS | 30. März 2017 Urs Paul Holenstein
  • 25. Eidgenössisches Justiz- und Polizeidepartement EJPD Bundesamt für Justiz BJ Fachbereich Rechtsinformatik 25 • Botschaft wurde vom Bundesrat am 15. Januar 2014 verabschiedet (vgl. BBl 2014 1001). Diese  enthält nebst der qualifizierten elektronischen Signatur auch die geregelte elektronische Signatur, an die reduzierte Anforderungen gestellt werden;  führt neu das geregelte elektronische Siegel ein, welches juristischen Personen und Behörden zugänglich ist;  schafft die Grundlage für die Regelung der sicheren Authentifikation mit Zertifizierungsdienste-Produkten;  vereinheitlicht in den Prozessordnungen des Bundes die Bestimmungen zum elektronischen Rechtsverkehr inhaltlich und terminologisch so weit wie möglich. Inhalt der ZertES-Totalrevision Sind ZertES und eIDAS (in)kompatibel ? | e-Signatures for ZertES and eIDAS | 30. März 2017 Urs Paul Holenstein
  • 26. Eidgenössisches Justiz- und Polizeidepartement EJPD Bundesamt für Justiz BJ Fachbereich Rechtsinformatik 26 • Nationalrat behandelt das Geschäft am 17. Dezember 2015 als Erstrat, Ständerat folgte am 29. Februar 2016 • Auszug aus dem Votum von Nationalrat Yves Nidegger als Sprecher der Rechtskommission des Nationalrates: «Lorsque qu'un texte ne suscite pas le dépôt de propositions de minorité ni d'avis contraires, c'est soit qu'il est parfait, soit qu'on ne l'a pas vraiment bien compris.» • Schlussabstimmung am 18. März 2016 • Detailinformation zur Parlamentarischen Beratung (vgl. Amtliches Bulletin) • Publikation im Bundesblatt (vgl. BBl 2016 2021) • Referendumsfrist läuft am 7. Juli 2016 ungenutzt ab Ablauf der ZertES-Totalrevision Sind ZertES und eIDAS (in)kompatibel ? | e-Signatures for ZertES and eIDAS | 30. März 2017 Urs Paul Holenstein
  • 27. Eidgenössisches Justiz- und Polizeidepartement EJPD Bundesamt für Justiz BJ Fachbereich Rechtsinformatik 27 Die ZertES-Totalrevision • ändert (fast) nichts bezüglich der qualifizierten elektronischen Signatur;  Neuer Artikel 14 Absatz 2bis des Obligationenrechts: Der eigenhändigen Unterschrift gleichgestellt ist die mit einem qualifizierten Zeitstempel verbundene qualifizierte elektronische Signatur gemäss ZertES. • schafft Grundlage für die Regelung der sicheren Authentifikation mit Zertifizierungsdienste-Produkten; • erfordert eine Anpassung verschiedener Ausführungsbestimmungen (VZertES; TAV des BAKOM) • tritt am 1. Januar 2017 in Kraft (BRB vom 23.11.2016). Neuerungen der ZertES-Totalrevision Sind ZertES und eIDAS (in)kompatibel ? | e-Signatures for ZertES and eIDAS | 30. März 2017 Urs Paul Holenstein
  • 28. Eidgenössisches Justiz- und Polizeidepartement EJPD Bundesamt für Justiz BJ Fachbereich Rechtsinformatik 28 • eIDAS-Verordnung  Teil 1: Elektronische Identifizierungsmittel  Teil 2: Vertrauensdienste  Elektronische Signaturen  Elektronische Siegel  Elektronische Zeitstempel  Elektronische Zustelldienste  Zertifikate zur Webseitenauthentifizierung • ZertES und Ausführungsbestimmungen regeln den Bereich der Vertrauensdienste (ohne Zustelldienste) • Bundesrat eröffnet am 22. Februar 2017 die Vernehmlassung zum E-ID-Gesetz Umfang von ZertES und eIDAS Sind ZertES und eIDAS (in)kompatibel ? | e-Signatures for ZertES and eIDAS | 30. März 2017 Urs Paul Holenstein
  • 29. Eidgenössisches Justiz- und Polizeidepartement EJPD Bundesamt für Justiz BJ Fachbereich Rechtsinformatik 29 • eIDAS-Verordnung ist seit dem 1. Juli 2016 in allen EU-Mitgliedstaaten direkt anwendbar.  Diskussion über Anpassungs- resp. Aufhebungsbedarf bei der nationalen Gesetzgebung (z.B. in Deutschland). • Umsetzung in der Schweiz ist erfolgt (ZertES) resp. hat begonnen (E-ID-Gesetz, ERV-Obligatorium). • ABER: Das totalrevidierte ZertES resp. das neue E-ID-Gesetz sind zwar grundsätzlich eIDAS-kompatibel, entsprechende Anwendungen sind aber ohne gegenseitige Anerkennung (bilateraler Vertrag mit der EU notwendig) rechtlich praktisch wertlos oder zumindest nicht unproblematisch. Bedeutung von ZertES und eIDAS Sind ZertES und eIDAS (in)kompatibel ? | e-Signatures for ZertES and eIDAS | 30. März 2017 Urs Paul Holenstein
  • 30. Eidgenössisches Justiz- und Polizeidepartement EJPD Bundesamt für Justiz BJ Fachbereich Rechtsinformatik 30 • ZertES und eIDAS-Verordnung bilden Rechtsrahmen, um auf die selben technischen (ETSI)Normen verweisen zu können. Diese unterscheiden z.B. vier Signaturformate:  XAdES (XML Advanced Electronic Signatures)  CAdES (CMS Advanced Electronic Signatures)  PAdES (PDF Advanced Electronic Signatures)  ASiC (Associated Signature Containers) • Die EU verwendet eine andere Norm für die Signatur von PDF, bzw. PDF/A Dokumenten als die Schweiz (und auch nicht einheitlich dieselbe Norm). • validator.ch ist nicht in der Lage, Dokumente zu prüfen, die basierend auf dieser Norm signiert wurden. • Ausländische und EU-Zertifikate sind validator.ch sowieso unbekannt. Sind ZertES und eIDAS (in)kompatibel ? Sind ZertES und eIDAS (in)kompatibel ? | e-Signatures for ZertES and eIDAS | 30. März 2017 Urs Paul Holenstein
  • 31. Urs Fischer CEO SwissSign • Graduate in engineering and business administration • My passion is to enable digital transformation • My goal is to make technologies user-friendly
  • 32. Certificates - the trust anchor for your digitalisation strategy
  • 33. This is Lisa. Shopping. Banking. Socialising. She is living in a digital world.
  • 34. Trust as the Base. • More and more digital processes enter in our world • They allow for a variety of new services • To make use of them we need trust. • As trustet third parties do Certificate Authorities (CA) guarantee for decades a trusted base for virtual services. As a Certificate Authority, SwissSign does transform trust in digital processes.
  • 35. Trust Anchor. • For companies and private persons SwissSign is the best trust anchor. • This trust anchor is based on three pillars: emotion, processes and hightech. • Trust is a value with more aspects than security. • Swissness plays an important role but also reputation. • As well as technologies and processes. • And people standing up for security. Our certificates make the trust anchor strong and stable.
  • 36. Guarantor for Compliance. • „Certificate Authorities“ are issuers of qualified digital certificates. • They have to ensure that the necessary regulation requirements are fulfilled in order to issue qualified certificates. • A Certificate Authority is held liable for non-compliance to regulations by law. • SwissSign offers know how, processes and technology to enable you to fulfill the business AND compliance requirements. Thus, SwissSign becomes a guarantor for compliace.
  • 37. Your Trusted Partner for Digital Identities • 15 years experience with digital identities • Covering both Swiss and European judicial areas • Delivering a framework for enabling your identities for qualified signatures within your business processes (e.g. RA delegation) • Joint venture of Swiss Post and SBB • Certified to ZertES, ETSI (eIDAS), FINMA-Outsourcing, ISO 27001 SwissSign loves to keep you safe!
  • 38. Urs Zurbuchen Engineer and consultant for design and implementation of IT security solutions, Urs Zurbuchen brings more than 20 years of experience in Identity & Access Management and web application security to the table. Bridging business and security requirements, he strengthens our customers' digitalisation efforts and enables them to focus on making their visions a reality. Senior Security Consultant, Ergon Airlock
  • 39. A common security and authentication framework for multiple applications
  • 40. • Re-use your digital signature infrastructure • The transaction-oriented side of digital signatures • Identity Management On Track for Security Airlock IAM is the suite's central authentication platform, including enterprise functions. With this product, customers, partners or employees log in just once for secure access to data and applications. Airlock IAM also automates user administration. The talk shows how Airlock IAM goes beyond simple web authentication and empowers your digital signature solution to provide new solutions.
  • 44. Requirements Digital signature infrastructure User directory with signature information Self-services Application integration
  • 45. Identity Management Self-service processes Identity (self-) registration Token management (activation, migration)
  • 46. Bringing it all together Beyond simple web authentication
  • 47. Nick Pope Nick Pope is a principal consultant at Thales e-Security supporting their customers on use of Thales’ hardware security modules in banking, governmental and commercial sectors. He has been involved in EU standards relating to electronic signatures for more than 15 years and before that development of X.509 standards in ISO. Currently, Nick is chair of the ETSI steering group on signature creation and validation and liaison representative on the CEN Working Group on signing devices. Thales Vice Chair, ETSI TC Electronic Signature & Infrastructures
  • 48. CEN and ETSI standards and compliance
  • 49. eIDAS “Levels” of Compliance Electronic Signature: ▌ Electronic Signature  Anything which is used to sign ▌ Advanced Electronic Signature  Electronic Signature with “sole control” properties such as provided by public key technology  TSP can offer what is considered current good practice but takes on liability ▌ Qualified Electronic Signature  Advanced Electronic Signature which meets specific technical & security requirements as specified in the regulation  Supervisory authority confirms that TSP meets regulatory requirements based on audit  Option for “TSP” to hold key on behalf of “signatory”
  • 51. eIDAS Standards Framework Trust Services supporting signatures National Guidelines
  • 52. eIDAS Standards Framework Advanced e-Signature / e-Seal Formats Implementing Decision 2015/1506
  • 53. eIDAS Standards Framework Trust Services supporting signatures Implementing decision 2016/650
  • 54. Implementing Decision 2016/650 on Qualified Signature / Seal Creation Devices ▌ Local signing (e.g. smart cards) reference made to: Common Criteria evaluation standards EN 419 211 – Protection Profiles for QSCD mainly applied to smart cards ▌ For Remote (centralised server) signing repeats statement from eIDAS regulation that in the absence of standards QSCD can be evaluated by national body using “comparable security levels” Expect proposed draft standard (EN 419 241) current draft under evaluation and formal review
  • 56. Standards for Cloud Signing prEN 419 241-1 Security Requirement for Trustworthy Systems Supporting Server Signing prEN 419 241-2 QSCD for Server Signing PP 419 211-5 Cryptographic Module for Trust Services Server Signing ▌ QSCD: HSM + SAM ▌ Signature Activation Module (SAM) Checks the Signature Activation Data (SAD) : - User is authenticated - The hash - Key identifier Uses a Cryptographic Module (Crypto) for signature operation
  • 57. Thales nShield & eIDAS ▌ Current nShield has eIDAS certification See: https://ec.europa.eu/futurium/en/content/ compilation-member-states-notification-sscds-and-qscds ▌ EN 419 221-5 Evaluation is in Progress ▌ CodeSafe within nShield Provides protected environment to run protected code Provides environment protection required by EN 419 241-2
  • 58. nShield for Cloud Signing SAM Crypto CodeSafe
  • 60. KYOS – Thales Partner in CH Experts in Security, Networks and IT Services Founded in 2002 Based in Geneva and St. Gallen • Headquarter in Geneva with focus on Swiss Romand • Branch Office in St.Gallen with focus on DACH region KYOS Values • Close to customers and strong reactivity • Services oriented • Professional ethics & modesty
  • 61. KYOS: Your Security and IT partner in Switzerland
  • 62. Conclusions ▌ Draft Standard (EN 419 241) for Remote Signing under evaluation / review ▌ The Cryptomathic solution, running on Thales nShield HSM, is already closely aligned with the draft standards ▌ Expect draft standard to be accepted by nations as providing “comparable security level” to smart card based solution ▌ Obtaining copies of standards: For free download of ETSI standards: http://www.etsi.org/standards-search For CEN standards access national standards organisation
  • 63. 63 CRYPTOMAThIC Case Study – UBS Electronic Signature Rüdiger Lobrinus Managing Director UBS Switzerland AG Head - 1 Wealth Management Platform & Strategic Platform Development Rüdiger Lobrinus has joined the Multichannel Management & Digitization (MM&D) department of UBS Switzerland AG in May 2004 and amongst other duties, manages the Wealth Management Online programme.
  • 64. 64 CRYPTOMAThIC Case Study – UBS Electronic Signature Philipp Kuhn Director UBS Switzerland AG Business Project Manager Electronic Signature Philipp Kuhn has joined the Wealth Management Online team within Multichannel Management & Digitization (MM&D) in February 2014, where he is leading the Electronic Signature project as well as MIFID II.
  • 65. << Security Text>><< Security Text>> CRYPTOMAThIC – Case Study UBS Electronic Signature
  • 66. Public March 30, 2017 Wealth Management Online Bringing the UBS way to invest online
  • 67. 67 Basic products will be digital only, but advisory services require seamless multichannel experience 10% 70% In 5 yearsToday Product distribution of simple products (e.g. Cards and Accounts) Source: McKinsey. Study in the US and Western Europe Product distribution of complex products (e.g. Investing and Mortgages) 45% 70% In 5 yearsToday Digital only Multichannel Branch only
  • 68. 68 Overview Wealth Management Online UBS Advice UBS Manage  Alerts  Show-the-gap  Close-the-gap  Straight-through processing  Investment Strategy explained  Performance in context  Stress scenarios Auxiliary functions CIO and ImpactPortfolio reporting 0000 Available on mobile Electronic Signature
  • 69. 69 Why e-signature and a focus on WM clients? More convenience for client & Increased efficiency for the bank  Wealth Management clients sign approximately 10 documents per annum  Total of 2500 documents a client could sign  Over 2.5 million signed documents per annum
  • 70. 70 Pre-requisites UBS e-banking 1 Highest possible non-repudiation 2 No additional hardware requirements for client 3 Simple user experience (UX) and integrable in existing UBS processes 4
  • 71. 71 Request for proposal In 2015… Global request for proposal Contacted 20 companies Company pitches Detailed analysis of offers
  • 72. 72 Vendor selection and implementation General Contractor Certification Authority Within one year and 3 months project was realized and rolled out to clients inclusive the certification of OFCOM (SAS SECO), mandated to KPMG Switzerland +
  • 73. 73 Certification Close collaboration / consultation with OFCOM / KPMG throughout Includes UBS as a… … signature generation service provider (SGSP) (incl. CEN 419.241:2014) & … registration authority (RA) delegated from SwissSign AG
  • 74. 74 Overall result Swiss Bank that has integrated and certified all relevant components for a Qualified Electronic Signature 1st
  • 75. Public March 30, 2017 Agreements The Electronic Signature via UBS e-banking
  • 76. 76 Goals & Advantages Key advantages of using the 'Agreements' process The 'Agreements' process is easy to use and has an extended range of benefits Convenience, Security & Efficiency Secure transmission Instant availability Legally binding CO² friendly No mailing expenses Strong non- repudiation International recognition
  • 77. 77 Agreements – the UBS electronic signature admin work Focus on: Advising clients Reduction of:
  • 78. 78 HOW? Some following slides have been removed as they are confidential. Please contact Philipp Kuhn if you have any questions about his presentation.
  • 79. 79 Visit our UBS e-banking DEMO …go to www.ubs.com/e-banking
  • 80. 80 Contact information Rüdiger Lobrinus 8004 Zürich Switzerland Ruediger.Lobrinus@ubs.com UBS Switzerland AG Postfach 8098 Zürich Tel. +41-44-237 83 50 www.ubs.com Philipp Kuhn 8004 Zürich Switzerland Philipp.Kuhn@ubs.com
  • 81. Urs Würgler Urs has worked in IT Security for 16+ years focussing on cyber security from many perspectives. He is the deputy head of KPMG’s certification body where he increasingly leads digitalization and security projects in the financial services space. Manager, Cyber Security KPMG
  • 83. 83 Document Classification: KPMG Confidential © 2017 KPMG AG is a subsidiary of KPMG Holding AG, which is a member of the KPMG network of independent firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss legal entity. All rights reserved. Agenda Topics covered Designing user registration Key pain points Achieving and maintaining certification
  • 84. 84 Document Classification: KPMG Confidential © 2017 KPMG AG is a subsidiary of KPMG Holding AG, which is a member of the KPMG network of independent firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss legal entity. All rights reserved. Designing user registration in compliance with good practice (I) — ETSI EN standards (issued by the European Union) — ZertES – Swiss law on the use of qualified digital signatures (issued by the Federal Convention) — VZertES – Swiss ordinance (issued by the Federal Convention) — TAV – Swiss regulation (issued by BAKOM) Applicable laws and standards — User identification — User registration — Documentation of registration / Archiving — Certificate lifecycle — Certificate revocation Key controls
  • 85. 85 Document Classification: KPMG Confidential © 2017 KPMG AG is a subsidiary of KPMG Holding AG, which is a member of the KPMG network of independent firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss legal entity. All rights reserved. Necessary steps Designing user registration in compliance with good practice (II) (Prepare) productionChoose a TSP Gap Assessment Assessment response 0501 02 03 04 STEPSTEP STEP STEP STEP Proof-of-Concept Have RA Delegation certified. React to recommendations reported in the certification. Start on-boarding new users. Can the TSP support your requirements? Has it credentials for similar projects? Can the TSP propose steps? Is there already a on- boarding process (e.g. KYC-based in the banking environment?) Which legal requirements may pose a problem? Which processes need to be changed? Perform an internal risk analysis. Perform an in-depth analysis of non- conformities Circle back with KPMG regarding topics, which are unclear in the law. Design the target environment. Have it verified by the TSP. Perform a service decomposition. Implement the Proof-of-Concept.
  • 86. 86 Document Classification: KPMG Confidential © 2017 KPMG AG is a subsidiary of KPMG Holding AG, which is a member of the KPMG network of independent firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss legal entity. All rights reserved. Important topics to consider Existing users User identification – which documents are supported by law? Expired identity documents Ambiguity imposed by law or standards Key pain points
  • 87. 87 Document Classification: KPMG Confidential © 2017 KPMG AG is a subsidiary of KPMG Holding AG, which is a member of the KPMG network of independent firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss legal entity. All rights reserved.© 2017 KPMG AG is a subsidiary of KPMG Holding AG, which is a member of the KPMG network of independent firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss legal entity. All rights reserved. Document Classification: KPMG Confidential Requirement at the regulation level — VZertES Art. 5 reads — «The recognized providers must require the persons who request a regulated certificate to present a passport, a Swiss identity card or an identity card approved for entry into Switzerland.» Implementation in practice — The State Secretariat for Migration (SEM) maintains the relevant list of identity documents. — The list is long and complex. Considerations regarding user identification (I) List of travel Documents Alphabetical list countries A B C D F G H I J K L M N O P Q R S T U V W X Y Z Version of 1 January 2017 Source: https://www.sem.admin.ch/sem/en/home/publiservice/weisungen-kreisschreiben/visa/liste1_staatsangehoerigkeit/leg_reisedoks.html
  • 88. 88 Document Classification: KPMG Confidential © 2017 KPMG AG is a subsidiary of KPMG Holding AG, which is a member of the KPMG network of independent firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss legal entity. All rights reserved. The big picture Considerations regarding user identification (III) Schengen countries — Passport and IDs are accepted. No visa required. Third-country nationals — The validity of the travel document must extend at least three months after the intended date of departure from the Schengen Area; — and the travel document must have been issued within the previous 10 years Special cases — Palestine is not recognized by Switzerland — Several countries may become Schengen member states in the foreseeable future A B C
  • 89. 89 Document Classification: KPMG Confidential © 2017 KPMG AG is a subsidiary of KPMG Holding AG, which is a member of the KPMG network of independent firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss legal entity. All rights reserved. Supporting existing users — A significant number of users was identified in the past. — Users cannot be subjected to be identified again. Assumptions — How many users are in scope? — Are all details of identification requirements known? — How difficult is it to determine non- compatible identifications? — How are incompatible identifications dealt with? Questions to ask
  • 90. 90 Document Classification: KPMG Confidential © 2017 KPMG AG is a subsidiary of KPMG Holding AG, which is a member of the KPMG network of independent firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss legal entity. All rights reserved. BAKOM message — «Expired identification documents cannot be used to identify a user in a QES (Qualified Electronic Signature) context» Reacting to this requirement — Start with new users only. — Establish which percentage of registered users has used an expired identity document. — Calculate the approximate number of concerned users. — Decide how to process users with incompatible identifications - One outcome may be that these users are not given the opportunity to digitally sign. - It may be possible to re-register users. A special case – Expired identity documents
  • 91. 91 Document Classification: KPMG Confidential © 2017 KPMG AG is a subsidiary of KPMG Holding AG, which is a member of the KPMG network of independent firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss legal entity. All rights reserved. Ambiguity imposed by laws or standards The problem — Laws are updated infrequently and lag behind technical advancement. — Standards may provide more details but are usually not concise in all aspects. Clarifying the situation — KPMG is often approached to comment on laws and standards. — We frequently interface with authorities, which appreciate specialist questions (e.g. BAKOM). — It is often a necessity to request a written statement from such an authority. — We cannot interface with authorities, which do not further comment on laws (e.g. EJPD).
  • 92. 92 Document Classification: KPMG Confidential © 2017 KPMG AG is a subsidiary of KPMG Holding AG, which is a member of the KPMG network of independent firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss legal entity. All rights reserved. Achieving and maintaining certification (I) Who must be certified? In a QES context the TSP (Trust Service Provider) must be certified using a PKI certification scheme. Why is certification required? According to ZertES (Art. 17) an issuer of qualified certificates must be certified. ZertES (Art. 18) states that the certification body is liable if damages occur because the certification body did not conform to its duties phrased in the law. The only way for KPMG to prove that it lives up to its duties is by performing a certification audit. Why should this concern an end-user organization? If identification / registration processes take place within the end-user organization then these processes are part of the certification («Delegation of Registration Authority (RA) processes to the end-user organization»). The TSP must have a proof indicating that the RA processes work as required.
  • 93. 93 Document Classification: KPMG Confidential © 2017 KPMG AG is a subsidiary of KPMG Holding AG, which is a member of the KPMG network of independent firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss legal entity. All rights reserved. Achieving and maintaining certification (II) What is the result of achieved certification? — An achieved certification demonstrates that the certified entity is compliant with both national law and applicable standards. — Certification is required — For inclusion in certificate store programs maintained by companies such as - Adobe - Apple - Google - Microsoft
  • 94. 94 Document Classification: KPMG Confidential © 2017 KPMG AG is a subsidiary of KPMG Holding AG, which is a member of the KPMG network of independent firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss legal entity. All rights reserved.© 2017 KPMG AG is a subsidiary of KPMG Holding AG, which is a member of the KPMG network of independent firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss legal entity. All rights reserved. Document Classification: KPMG Confidential Achieving and maintaining certification (III) 1. National bodies/laws (e.g. ZertES) 2. International standards 3. Maintainers of certificate stores Who defines how often certification needs to take place? We want to be judged by the outcomes Companies such as Google may - Have requirements that go beyond those phrased in standards - Require a particular rhythm for certification Why is this important? We want to be judged by the outcomes
  • 96. Document Classification: KPMG Confidential © 2017 KPMG AG is a subsidiary of KPMG Holding AG, which is a member of the KPMG network of independent firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss legal entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International. The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation. kpmg.com/socialmedia kpmg.com/app
  • 97. Panel discussion “The future of electronic signatures”
  • 99. Thank you for joining our conference 30 March, 2017 @ Park Hyatt Zurich e-Signatures for ZertES and eIDAS