Trusted E-ID Infrastructures and Services in EU

Trusted E-ID Infrastructures and Services in EU

Trusted e-ID Infrastructures and services in EU Recommendations for Trusted Provision of e-Government services Report, December 2013 European Union Agency for Network and Information Security www.enisa.europa.eu Trusted e-ID Infrastructures and services in EU Recommendations for Trusted Provision of e-Government services Report, December 2013 About ENISA The European Union Agency for Network and Information Security (ENISA) is a centre of network and information security expertise for the EU, its member states, the private sector and Europe’s citizens. ENISA works with these groups to develop advice and recommendations on good practice in information security. It assists EU member states in implementing relevant EU legislation and works to improve the resilience of Europe’s critical information infrastructure and networks. ENISA seeks to enhance existing expertise in EU member states by supporting the development of cross-border communities committed to improving network and information security throughout the EU. More information about ENISA and its work can be found at www.enisa.europa.eu. Authors This report has been produced by ENISA (Prof. Manel Medina and Clara Galán) in collaboration with Atos Consulting (Alejandro Elices and M. Elena Martínez B.) and with the support of EC DG Connect unit H4 and the ISPC of the JRC. Contact For contacting the authors please use [email protected] For media enquires about this paper, please use [email protected]. Acknowledgements This report has been possible thanks to the contributions of the participants in the large scale projects: EPSOS, PEPPOL (Jon Ølnes and Lefteris Leontaridis) and e-CODEX, that kindly answered the questionnaire prepared by ENISA and the contractor of this project Atos Consulting. Legal notice Notice must be taken that this publication represents the views and interpretations of the authors and editors, unless stated otherwise. This publication should not be construed to be a legal action of ENISA or the ENISA bodies unless adopted pursuant to the Regulation (EU) No 526/2013. This publication does not necessarily represent state-of the-art and ENISA may update it from time to time. Third-party sources are quoted as appropriate. ENISA is not responsible for the content of the external sources including external websites referenced in this publication. This publication is intended for information purposes only. It must be accessible free of charge. Neither ENISA nor any person acting on its behalf is responsible for the use that might be made of the information contained in this publication. Copyright Notice © European Union Agency for Network and Information Security (ENISA), 2013 Reproduction is authorised provided the source is acknowledged. ISBN 978-92-9204-075-8 doi: 10.2824/26540 Page ii Trusted e-ID Infrastructures and services in EU Recommendations for Trusted Provision of e-Government services Report, December 2013 Executive summary Under the scope of the the proposed new Regulation on electronic identification and trust services for electronic transactions in the internal market 1, which will supersede the current Directive 1999/93/EC on a Community framework for electronic signatures, ENISA has conducted a study about the security mechanisms and interoperability issues specific to the new regulated trust services. The aim of this report is to complement the report that summarises the results of the survey, also published by ENISA: “TSP services, standards and risk analysis report”2, making more specific recommendations to e-Government service providers, encouraging them to use Trusted Third Party service providers to implement the trust services required to give citizens the expected level of confidence and trustwotthines on the services. This document collects the experience of some of the Large Scale Pilots3 (LSP) funded by the European Commission, that implement trust services defined in the proposed new Regulation (in particular epSOS, e-CODEX and PEPPOL), as cases studies to analyse the current practices and identify gaps and improvement opportunities. Then, the recommendations collected in the Trust Service Providers (TSP) overview report published by ENISA4 have been adapted for the provision of e-Government Services, which include issues for security practices and risk management. The following categories of recommendations have been considered the most relevant ones, to assist in defining and establishing the basis to offer trustworthy e-Gov. services to EU citizens5: REC.6.R: Specific BCM (Business Continuity Management) standards should be adopted in the provision of trusted services (by TSPs) and required by the e-Government customers. REC.5.R, eGov_R1: There is a need to define standard qualified profiles and best practices for trusted services, in order to clarify the definition of the services (SLA) and to standardize the QoS to be required by e-Government from TSPs. REC.2.R: Promote Trusted Marks assessed against eIDAS requirements that would be recognised across borders. Independent Trust Services should be integrated in e-Gov. services, with European scope, complying both with European eIDAS Regulation and national supervision. Assessment of qualified trust Services schemas should be extended to other TSPs regulated in the future6, and mutual assistance system between supervisory bodies in the Member States should be set up. Based on the criticality of the e-Gov. services, always assess three aspects: o REC.3.R: the strength of the authentication mechanisms to be used, giving priority to e- signature o REC.4.P: the need for end-to-end encryption and o eGov_R8 (TSP_R4): the need for audit trails to collect and preserve electronic evidences. 1 http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2012:0238:FIN:en:PDF 2 http://www.enisa.europa.eu/publications#c2=publicationDate&reversed=on&c5=all&c0=10&b_start=0 3 http://ec.europa.eu/digital-agenda/en/egovernment 4 The “TSP services, standards and risk analysis report” will be published in ENISA’s website: http://www.enisa.europa.eu/activities/identity-and-trust/library/deliverables . 5 See full list in Section 3. The letter following the recommendation number indicates the category of stakeholder with higher responsibility on its implementation: Trust Service Providers (P), the Regulators/Supervisors (R) or the eGovernment SP (G). 6 Once the draft Regulation on electronic identification and trust services will be approved by the European Parlaimant. Page iii Trusted e-ID Infrastructures and services in EU Recommendations for Trusted Provision of e-Government services Report, December 2013 Table of Contents Executive summary iii 1 Introduction 1 1.1 Motivation 2 2 Study Cases 3 2.1 epSOS 3 2.2 e-CODEX 4 2.3 PEPPOL 5 3 Recommendations 8 3.1 General recommendations to e-Government service providers 8 3.2 General recommendations to Member States Regulators 9 3.3 Specific Recommendations for Trust Service Providers 9 3.4 Summary of Recommendations 10 4 Annex I: Abbreviations 12 Page iv Trusted e-ID Infrastructures and services in EU Recommendations for Trusted Provision of e-Government services Report, December 2013 1 Introduction The European Commission presented in July 2012 a proposal for a new Regulation on electronic identification and trust services for electronic transactions in the internal market7, which will supersede the current Directive 1999/93/EC on a Community framework for electronic signatures. Art. 15 of the proposed Regulation establishes certain provisions regarding the security requirements applicable to trust service providers. In order to facilitate the implementation of this provision, as well as to generally support trust service providers (TSP) in the introduction of security best practices, the European Union Agency for Network and Information Security (ENISA) is working on 2013 on a series of studies on the security aspects of trust service providers issuing electronic certificates, as well as on the security and interoperability aspects specific to the new trust services foreseen in the proposed Regulation. One of the actions taken on those studies was a survey conducted by ENISA to Trust Service Providers 8 (TSP). Another action was the brief analysis of some Large Scale Pilots operating in Europe, focusing on the use of: Electronic certificates, including e-Signature ones (summarized in other ENISA reports9) Electronic time stamps (creation and handling) ElectronicDocuments10 storage or management (creation, handling or preservation) Electronic delivery of eDocuments services (handling, preservation) Validation of electronic signatures (documents, certificates, seals, websites) Longtime preservation of electronic signatures (documents, time stamps) The definition of “trust service” in the EU Regulation is quite wider, since teorically covers all combinations of the services applied over the objects shown in the Table 1 below. Table 1: Trust services as defined in the EU Regulation 7 (http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2012:0238:FIN:en:PDF) 8 The “TSP services, standards and risk analysis report” will be published in ENISA’s website: http://www.enisa.europa.eu/activities/identity-and-trust/library/deliverables. 9 http://www.enisa.europa.eu/activities/identity-and-trust/trust-services 10 An eDocument should be considered as any kind of data digitally signed using advanced electronic signature (with or without an electronic signature creation device) Page 1 Trusted e-ID Infrastructures and services in EU Recommendations

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    18 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us