IDAInterchange of Data

between AdministrationsA ‘bridge CA’ for Europe’s

public administrations

European Signatures vs Global SignaturesEuropean Signatures vs Global Signatures

EESSI, Rome, 7th April EESSI, Rome, 7th April 2003

• Paul E Murphy Paul E Murphy

• IDA, Enterprise Directorate General IDA, Enterprise Directorate General

• European CommissionEuropean Commission

• IDA programme of DG EnterpriseIDA programme of DG Enterprise

• IDA bridge CA projectIDA bridge CA project

– historyhistory

– current developmentscurrent developments

• Some PKI issuesSome PKI issues

The IDA programme

• Interchange of Data between Interchange of Data between AdministrationsAdministrations

• Enterprise Directorate General, Enterprise Directorate General, European Commission European Commission

• 1999 - 20041999 - 2004

The IDA programme

• Co-ordinates the exchange of Co-ordinates the exchange of information between the MS and EC in information between the MS and EC in support of:support of:

– the management of the single the management of the single marketmarket

– the Community decision-making the Community decision-making processprocess

– a wide range of Community policiesa wide range of Community policies

What does IDA do?• Sectoral projects for Sectoral projects for

information exchange in information exchange in support of the Single Marketsupport of the Single Market

– Agriculture, Employment, Agriculture, Employment, Environment, Health, Environment, Health, Enterprises, Statistics, etc.Enterprises, Statistics, etc.

What does IDA do?• Generic ServicesGeneric Services

– TESTA (IP network), Public Key TESTA (IP network), Public Key Infrastructure (PKI CUG), CIRCA Infrastructure (PKI CUG), CIRCA (workgroup)(workgroup)

• Common tools and techniquesCommon tools and techniques

– MoReq, architecture guidelines MoReq, architecture guidelines for interoperability, STATEL, etc.for interoperability, STATEL, etc.

IDA PKICUG

• IDA issues X.509v3 electronic certificatesIDA issues X.509v3 electronic certificates

• to members of IDA Networksto members of IDA Networks

• for use in:for use in:

– SSLSSL

– S/MIMES/MIME

– electronic signatureelectronic signature

• Now proposes a ‘bridge CA’Now proposes a ‘bridge CA’

Why?• eEurope Action PlaneEurope Action Plan

– support for electronic signatures in public support for electronic signatures in public administrationadministration

• Member States ’ policyMember States ’ policy

– ability to use the electronic certificates issued ability to use the electronic certificates issued by their national CAs in pan-European business by their national CAs in pan-European business

• IDA policyIDA policy

– encourage interoperability, use of standards, encourage interoperability, use of standards, use of e-signature, etc. use of e-signature, etc.

– Conclusions from previous projectsConclusions from previous projects

Feasibility study

• Collect and summarise the views of the Collect and summarise the views of the Member StatesMember States

• Raise major potential issuesRaise major potential issues– legal and politicallegal and political

– organisationalorganisational

– technicaltechnical

• Discuss possible solutionsDiscuss possible solutions

• Propose further stepsPropose further steps

Legal and political aspects

• No reluctance to the principle of mutual recognition of No reluctance to the principle of mutual recognition of national Certification Authoritiesnational Certification Authorities– some level of national control was requestedsome level of national control was requested

• The major issue raised was the understanding of The major issue raised was the understanding of electronic signatureselectronic signatures– qualified certificates versus non-qualifiedqualified certificates versus non-qualified

– understanding of (in particular) Article 5 of the European Directiveunderstanding of (in particular) Article 5 of the European Directive

– requirement to establish equivalence rules between qualified requirement to establish equivalence rules between qualified certificates throughout Europecertificates throughout Europe

• The liability of the authorities issuing certificates should The liability of the authorities issuing certificates should be limited to the respect of attribution proceduresbe limited to the respect of attribution procedures

A series of issues to be agreed prior to operations

Governance

• Comply with existing IDA rulesComply with existing IDA rules

• Organisational instance to be defined, including:Organisational instance to be defined, including:– a Governing Body composed of representatives a Governing Body composed of representatives

• of the Member States and of the European Institutions ?of the Member States and of the European Institutions ?

• of the participating Certification Authorities ?of the participating Certification Authorities ?

– a specific team to manage operationsa specific team to manage operations

– a technical infrastructure depending on the architecture chosena technical infrastructure depending on the architecture chosen

• Definition and application of proceduresDefinition and application of procedures– agreement of a given CA to be recognised by the bridgeagreement of a given CA to be recognised by the bridge

– periodic verification of complianceperiodic verification of compliance

Ways to manage the common organisation

Core functionality

• Exchange and renewal of cross-certificates or of any Exchange and renewal of cross-certificates or of any equivalent information (e.g. signed lists of trusted root equivalent information (e.g. signed lists of trusted root certificates)certificates)

• Publication of general informationPublication of general information– Certificate PoliciesCertificate Policies

• Publication of certification informationPublication of certification information– trusted CA certificatestrusted CA certificates

– certificate revocation listscertificate revocation lists

• Publication of technical interoperability specificationsPublication of technical interoperability specifications

• According to the solution chosen, availability of a test bed to According to the solution chosen, availability of a test bed to validate the interoperability of a given CA with the other onesvalidate the interoperability of a given CA with the other ones

Required services to all user profiles

Major recommendation• A set of organisational measures and of technical tools A set of organisational measures and of technical tools

participating in establishing permanent, secure and participating in establishing permanent, secure and reliable trust between the Public Key Infrastructures reliable trust between the Public Key Infrastructures established by the Member States for the usage of their established by the Member States for the usage of their public sectorpublic sector

• The primary goal is to help civil servants to recognise the The primary goal is to help civil servants to recognise the valid credentials of their correspondents in other Member valid credentials of their correspondents in other Member States, hence to establish a secure environment for States, hence to establish a secure environment for electronic data exchangeelectronic data exchange– as a secondary goal, the same service could be provided to as a secondary goal, the same service could be provided to

companies and individuals to recognise civil servantscompanies and individuals to recognise civil servants

• Optionally, other PKIs, in particular those providing Public Optionally, other PKIs, in particular those providing Public Key Certificates to the major partners of the Key Certificates to the major partners of the Administrations, could be recognised as wellAdministrations, could be recognised as well

Set up an intermediate infrastructure

Suggested organisation

Governing body

Policy Authority

Technical assessors

Member States

European Institutions

Member CAs

Management team

Memorandum of Agreement

• Must be established before any operational start upMust be established before any operational start up

• Should cover the following descriptionsShould cover the following descriptions– responsibility, commitments and liability of all participating responsibility, commitments and liability of all participating

authoritiesauthorities

– rules for the governance of the intermediate infrastructurerules for the governance of the intermediate infrastructure

– building blocks of the certificate policies, includingbuilding blocks of the certificate policies, including• profile of contentsprofile of contents

• assurance levelsassurance levels

• management proceduresmanagement procedures

– services provided and expected from the infrastructure by the services provided and expected from the infrastructure by the participating and relying partiesparticipating and relying parties

– procedures for an applicant party to become a participating procedures for an applicant party to become a participating authorityauthority

The basic charter of collaboration

Architecture

• HierarchyHierarchy– a central Certification Authority recognises each CA of the Member a central Certification Authority recognises each CA of the Member

States or of national organisationsStates or of national organisations– relying parties just trust the central CArelying parties just trust the central CA

• MeshMesh– the Certification Authorities of the Administrations or of public the Certification Authorities of the Administrations or of public

bodies directly recognise each otherbodies directly recognise each other– each relying party justs trust its own CA that in turn trusts the each relying party justs trust its own CA that in turn trusts the

remote CAremote CA

• Web / trust model Web / trust model – a repository of trusted Certification Authoritiesa repository of trusted Certification Authorities– each relying party trusts all distributed certificates of the listeach relying party trusts all distributed certificates of the list

• Hub-and-spoke infrastructure ("bridge")Hub-and-spoke infrastructure ("bridge")– a central technical infrastructure cross-recognises each concerned a central technical infrastructure cross-recognises each concerned

CACA– each relying party justs trusts its own CA that trusts the bridge each relying party justs trusts its own CA that trusts the bridge

that in turn trusts the remote CAthat in turn trusts the remote CA

Possible ways to interconnect the Public Key Infrastructures

Hierarchical

Alice BobCarol David

CA-3CA-2CA-1

CA

A central Certification Authority recognises each CA of the Member States or of national organisationsRelying parties just trust the central CA

Mesh (peer-to-peer cross certification)

Alice

Bob

Carol

DavidCA-3

CA-1

CA-2

The Certification Authorities of the Administrations directly recognise each otherEach relying party justs trust its own CA that in turn trusts the remote CA

Web / trust (distribution of trusted lists)

Alice

Bob

Carol

DavidCA-3

CA-1

CA-2

CTL

A repository of trusted Certification AuthoritiesEach relying party trusts all distributed certificates of the list

Bridge model

Ellen

Frank

Gwen

Harry

Bridge

Alice BobCarol David

Hierarchical PKI Archtecture

Mesh PKI Archtecture

A central technical infrastructure cross-recognises each CAEach relying party justs trusts its own CA that trusts the bridge that in turn trusts the remote CA

Modified bridge CA model

National CA PKC

Bridge CAEurodomain

Local Domain A

Local Domain B

Local Domain C

National CA TL

Sectoral CA TL

National CA

National CA

National CA

Sectoral CA

Bridge model + web / trust model

Suggested BCA model

• The bridge trusts (i.e. accepts to certify) each The bridge trusts (i.e. accepts to certify) each proposed member CAproposed member CA

• ‘‘Root certificates be distributed by the bridge under Root certificates be distributed by the bridge under the form of signed liststhe form of signed lists– relying parties trust each CA recorded in the listrelying parties trust each CA recorded in the list

– Member States could update the list and re-sign itMember States could update the list and re-sign it

• ‘‘Cross-certification’ with the bridge CACross-certification’ with the bridge CA

• -- relying parties trust their own CA that is cross-certified with relying parties trust their own CA that is cross-certified with the bridge that in turn trusts remote CAs that are cross-certified with the bridge that in turn trusts remote CAs that are cross-certified with the bridgethe bridge

• Member States may implement validation authorities Member States may implement validation authorities inside their own administrations or public bodiesinside their own administrations or public bodies

A compromise between the proposed models

Simple certification

Functioning of the suggested architecture

Bridge CA

CA ACross certification

CA C

CA ACA BCA C…(signedbridge CA)

Validation authority

CA B

Relying party

Consultation of status

Relying party

Consultation of certificates

Simple certificatio

n

DOMAIN A DOMAIN CDOMAIN B

Relying partyLocal

verification

Certificate policies

• A Policy Authority should be created by the Governing Body to:A Policy Authority should be created by the Governing Body to:– define the intended usage of families of certificatesdefine the intended usage of families of certificates

– establish the associated assurance levels and minimum management establish the associated assurance levels and minimum management proceduresprocedures

– draw up and publish the resulting Certificate Policiesdraw up and publish the resulting Certificate Policies

• European policies (possibly sectoral) rather than national European policies (possibly sectoral) rather than national policiespolicies– simpler managementsimpler management

– unique understandingunique understanding

– no need for complex mappingno need for complex mapping

• In the long term, the identity of policies should be registered In the long term, the identity of policies should be registered into the certificates and the relying parties requested to verify into the certificates and the relying parties requested to verify the proper usage of certificatesthe proper usage of certificates

A set of European-level policies

Current Phase: 1• Step-by-step approachStep-by-step approach

• Draft Memorandum of Agreement / Draft Memorandum of Agreement / UnderstandingUnderstanding

• Outline Certificate PolicyOutline Certificate Policy

• Outline Technical Requirements for Outline Technical Requirements for participating CAsparticipating CAs

• CTL Feasibility Study

• Outline Operational Procedures

• Outline of Pilot and Test Plan

Current Phase: 2• Memorandum of Agreement / Understanding Memorandum of Agreement / Understanding

for participating Member Statesfor participating Member States

• Bridge CA Certificate PolicyBridge CA Certificate Policy

• Technical Requirements for participating CAsTechnical Requirements for participating CAs

• Bridge CA Technical Architecture

• Recommendations on use of CTLs

• Bridge CA Operational Procedures

• Agreed Pilot and Test Plan

Next Phase• Pilot of Bridge CA:Pilot of Bridge CA:

– Generate CTLs;Generate CTLs;

– Generate Cross-CertificatesGenerate Cross-Certificates

– Publicly accessible directoryPublicly accessible directory

• Test:

– Operation of bridge CA

– Bridge CA in a simulated IDA network

– Member State to Member State exchanges

• Bridge CA Certificate Practices Statement

• Bridge CA Certificate PolicyBridge CA Certificate Policy

• Technical Requirements for participating CAsTechnical Requirements for participating CAs

• Bridge CA Technical Architecture

• Recommendations on use of CTLs

• Bridge CA Operational Procedures

• Agreed Pilot and Test Plan

Then

• Decision TimeDecision Time

Bridge CA feasibility study

• http://europa.eu.int/ISPO/ida/jsps/index.jsp?http://europa.eu.int/ISPO/ida/jsps/index.jsp?fuseAction=showDocument&parent=news&dfuseAction=showDocument&parent=news&documentID=581ocumentID=581

European vs Global Signatures?

• IDA needs ‘pan-European’ signaturesIDA needs ‘pan-European’ signatures

– ability to use electronic certificates in ability to use electronic certificates in trans-border applications (e.g. public e-trans-border applications (e.g. public e-procurement)procurement)

• Establish trust in CAs in other Member StatesEstablish trust in CAs in other Member States

– cross-certification?cross-certification?

– Mutual recognition?Mutual recognition?

– Bridge CA?Bridge CA?– Allow for local controlAllow for local control

European vs Global Signatures?

• Establish the authenticity and validity of Establish the authenticity and validity of electronic certificates issued in a Member electronic certificates issued in a Member State other then the relying party’sState other then the relying party’s

• European level certificate policiesEuropean level certificate policies

– Correspondence with national certificate Correspondence with national certificate policiespolicies

• InteroperabilityInteroperability

Why do we introduce PKIs?

• Work electronically with business partnersWork electronically with business partners

• Reduce costs or increase profitsReduce costs or increase profits

• Increase operational efficiencyIncrease operational efficiency

• Be more effective in achieving objectivesBe more effective in achieving objectives

• Provide value added services that cannot be Provide value added services that cannot be provided with paper-based workingprovided with paper-based working

• Government policy (public administration)Government policy (public administration)

Basic requirements for PKIs

• Provide a real business benefitProvide a real business benefit

• Cost-effectiveCost-effective

• Easy / easier than paper-based equivalentsEasy / easier than paper-based equivalents

• Easy to set upEasy to set up

• Easy to operateEasy to operate

• Interoperable with other PKIsInteroperable with other PKIs

• Add valueAdd value

Some PKI Problems

• S/MIME v2: Authentication and confidentialityS/MIME v2: Authentication and confidentiality

• ScalabilityScalability

• Certificate PoliciesCertificate Policies

• The way people and organisations workThe way people and organisations work

• EncryptionEncryption

• Other problemsOther problems

How work is performed

• Personal certificates vs. functional Personal certificates vs. functional organisational unitsorganisational units

• Functional certificatesFunctional certificates

– organisational units are not legal entitiesorganisational units are not legal entities

• non-repudiationnon-repudiation

• electronic signatureelectronic signature

• ‘‘Registration’ of organisational unitsRegistration’ of organisational units

How work is performed

• PKIPKI

– Personal certificatesPersonal certificates

• WorkWork

– Organised on functional unitsOrganised on functional units

• Shared functional certificatesShared functional certificates

How work is performed

• Role-based certificates Role-based certificates

– The role confirms the authority of the The role confirms the authority of the certificate holdercertificate holder

– The role may determine the validity of the The role may determine the validity of the business eventbusiness event

– Volatility of personnelVolatility of personnel

• X.509 v3 certificate extensionsX.509 v3 certificate extensions

– Interoperability and language problemsInteroperability and language problems

Other problems• Directory and discovery problemsDirectory and discovery problems

• Trust relationshipsTrust relationships

– ‘‘Bridge’ CABridge’ CA

– Ability to follow a certification pathAbility to follow a certification path

• Certificate revocation status checkingCertificate revocation status checking

• CRLs, OCSP, etc.CRLs, OCSP, etc.

• Cross-certificationCross-certification

• etc.etc.

What do we need?

• Interoperable standards-based products that are:Interoperable standards-based products that are:

– Available from multiple suppliers,Available from multiple suppliers,

• Interoperable with or can Interoperable with or can – Exchange information with the Exchange information with the

» Office products typically found in Office products typically found in modern enterprises and public sector modern enterprises and public sector organisations, andorganisations, and

– Work across Europe’s borders.Work across Europe’s borders.

• Agreed PKI models that are congruent with the Agreed PKI models that are congruent with the way business is carried outway business is carried out

• IDA programme of DG EnterpriseIDA programme of DG Enterprise

• IDA bridge CA projectIDA bridge CA project

– historyhistory

– current developmentscurrent developments

• Some PKI issuesSome PKI issues

Thank you

Paul E. MurphyPaul E. Murphy

IDA programmeIDA programme

European Commission (SC 15 02/65)European Commission (SC 15 02/65)

B-1040 Brussels, BelgiumB-1040 Brussels, Belgium

fax: +32 2 299 0286 fax: +32 2 299 0286

e-mail: Paul-E.Murphy@cec.eu.inte-mail: Paul-E.Murphy@cec.eu.int