View
1
Download
0
Category
Preview:
Citation preview
IT Consulting Report:
Romania-Korea IT
Cooperation Program
Analysis of international
trend for PKI system
1
PKI ENHANCEMENT CONSULTING
2
PKI ENHANCEMENT CONSULTING
Preface
The Report for “Romania-Korea IT Cooperation Program” has been produced by KICA under the NIA
and ICI in Romania have the ownership on the modification and revision on this report. For further
information or additional modification, please contact the KICA at following e-mail addresses;
< Project Team>
• Project Consultants
KICA
Title Name Email Tel
Project Manager Mr. SUNGGU JUNG skjung@signgate.com +82 2 360 3022
Consultant Mr. JONGMIN CHOI jmchoi@signgate.com +82 2 360 3200
Consultant Mr. SEUNGHO RYU ice031@signgate.com +82 2 360 3223
Consultant Mr. SANG LEE sglee@signgate.com +82 2 360 3055
<Registration Information>
• Document Name: Romania-Korea IT Cooperation Program • Document Type: Microsoft Word 2010 • Document Version: Version 1.0 • Producer: KICA • Last Modifier: SUNGHO RYU • Last Modification: 05th October, 2015
<Revision History>
No. Version Date Reason Description Modified by
1 1.0 05th October, 2015 The first
publication - SEUNGHO RYU
3
PKI ENHANCEMENT CONSULTING
CONTENTS
I. Overview ........................................................................................................................................... 7
1. Definition ............................................................................................................................................ 8
2. Background and Objective ............................................................................................................... 8
2.1. Background ..................................................................................................................................................... 8
2.2. Objective ......................................................................................................................................................... 8
3. Scope ............................................................................................................................................ 9
4. Team and Related Organization ...................................................................................................... 9
4.1. Project Team ................................................................................................................................................... 9
4.2. Related Organization ................................................................................................................................... 10
II. AS-IS Analysis ................................................................................................................................ 11
1. ICT Environment Analysis ............................................................................................................. 13
2.1. PKI Scheme .................................................................................................................................................. 16
2.2. Legal Framework ......................................................................................................................................... 17
2.3. PKI Policy ..................................................................................................................................................... 18
2.4 PKI Status and Services ................................................................................................................................ 19
III. International trend for PKI ......................................................................................................... 24
1. The Current State of Korea PKI .................................................................................................................. 25
1.1. Overview ....................................................................................................................................................... 25
1.2. Status of Laws and Standards ..................................................................................................................... 25
1.3. PKI Model ..................................................................................................................................................... 35
2. The State of Brunei PKI ................................................................................................................................ 45
2.1. E-Government Institutional Structure ....................................................................................................... 45
2.2. PKI Hierarchy in Brunei ............................................................................................................................. 46
2.3. Legal Framework of PKI in Brunei ............................................................................................................ 47
2.4. PKI application in Brunei ........................................................................................................................... 48
3. The State of Kenya PKI ................................................................................................................................ 49
3.1. E-Government Institutional Structure ................................................................................................ 49
3.2. PKI Hierarchy ....................................................................................................................................... 50
3.3. Legal Framwork .................................................................................................................................... 50
4
PKI ENHANCEMENT CONSULTING
3.4. PKI application ..................................................................................................................................... 51
4. The State of Cameroon PKI .......................................................................................................................... 52
4.1. PKI Hierarchy ....................................................................................................................................... 52
4.2. Legal Framework .................................................................................................................................. 53
4.3. PKI application ..................................................................................................................................... 53
5. The State of Germany PKI ........................................................................................................................... 54
5.1. PKI Hierarchy in Germany .................................................................................................................. 54
5.2. Legal Framework of PKI in Germany ................................................................................................ 54
5.3. PKI application in Germany ................................................................................................................ 55
5.4. PKI Policy .............................................................................................................................................. 55
6. Regulation (EU) No 910/2014 ....................................................................................................................... 56
5
PKI ENHANCEMENT CONSULTING
TABLE
<Table 1 > Project Scope ................................................................................................................................................... 9 <Table 2> Related Organization List in Romania............................................................................................................ 10 <Table 3> Country Profile ............................................................................................................................................... 12 <Table 4> Penetration rates of fixed broadband internet access services at national level, respectively in urban/rural
areas: 2012 – 2014 ........................................................................................................................................................... 13 <Table 5> Legal Recognition of Digital Signature in Romania ....................................................................................... 17 <Table 6> Qualified CAs in Romania ............................................................................................................................. 19 <Table 7> Certificate Profiles in Romania ...................................................................................................................... 20 <Table 8> Major PKI enabled Government in Romania ................................................................................................. 22 <Table 9> Major Finding ................................................................................................................................................. 23 <Table 10> Scope of Benchmarking of Korea................................................................................................................. 25 <Table 11> Count of law and standards........................................................................................................................... 26 <Table 12> Differences between certificated signature and not-certified signature ........................................................ 30 <Table 13> Compensation responsibility of CA ............................................................................................................. 31 <Table 14> Contents of CPS ........................................................................................................................................... 32 <Table 15> GPKI and NPKI ........................................................................................................................................... 35 <Table 16> Type of Certificate ........................................................................................................................................ 37 <Table 17> Status of GPKI ............................................................................................................................................. 37 <Table 18> Application Process ...................................................................................................................................... 38 <Table 19> CA Audit Items ............................................................................................................................................. 42 <Table 20> Statistics on Accredited CAs ........................................................................................................................ 42 <Table 21> Statistics on RA and e-Service Provider ....................................................................................................... 43 <Table 22> Types of Certificate and Fee ......................................................................................................................... 43 <Table 23> Statistics on issued certificates ..................................................................................................................... 44 <Table 24> Legislative Framework ................................................................................................................................. 51
6
PKI ENHANCEMENT CONSULTING
FIGURE
(Figure 1) Project Team ..................................................................................................................................................... 9 (Figure 2) Government Structure ..................................................................................................................................... 13 (Figure 3) Penetration rates of broadband internet access connections: 2012 – 2014 ...................................................... 14 (Figure 4) E-government development in the European Union (EU) Member States ..................................................... 15 (Figure 5) PKI architecture in Romania .......................................................................................................................... 16 (Figure 6) Considered PKI Scheme in Romania .............................................................................................................. 17 (Figure 7) Structure of electronic signature ..................................................................................................................... 26 (Figure 8) NPKI model in Korea ..................................................................................................................................... 30 (Figure 9) Procedure of assignment for accredited CA ................................................................................................... 31 (Figure 10) Procedure of assignment for accredited CA ................................................................................................. 35 (Figure 11) GPKI System Configuration ......................................................................................................................... 39 (Figure 12) NPKI System Organization .......................................................................................................................... 40 (Figure 13) Organization chart of KISA .......................................................................................................................... 40 (Figure 14) Accreditation Procedure................................................................................................................................ 41 (Figure 15) Procedure for regular audits .......................................................................................................................... 42 (Figure 16) Annual Issuance of Certificates .................................................................................................................... 44 (Figure 17) e-Government Institutional Structure in Brunei ............................................................................................ 45 (Figure 18) PKI Scheme in Brunei .................................................................................................................................. 47 (Figure 19) PKI legal Framework in Brunei .................................................................................................................... 47 (Figure 20) PKI based login in TAFIS System ................................................................................................................ 48 (Figure 21) e-Government Institutional Structure in Kenya ............................................................................................ 49 (Figure 22) PKI Scheme in Kenya ................................................................................................................................... 50 (Figure 23) PKI legal Framework in Kenya .................................................................................................................... 51 (Figure 24) PKI Scheme in Cameroon ............................................................................................................................ 52 (Figure 25) e-Post in Cameroon ...................................................................................................................................... 53 (Figure 26) PKI hierarchy in Germany ............................................................................................................................ 54 (Figure 27) PKI legal Framework in Germany ................................................................................................................ 54
7
PKI ENHANCEMENT CONSULTING
I. Overview
1. Definition
2. Background and Objectives
3. Scope
4. Team and Schedule
8
PKI ENHANCEMENT CONSULTING
1. Definition
The following are the definitions of the current Project:
Project Name: Romania-Korea IT Cooperation Project
Target Country: Romania
Organization: Institutul National de Cercetare-Dezvoltare in Informatica (ICI Bucuresti)
Period: 5 Month (2015.05.~2015.10)
2. Background and Objective
The Romania-Korea IT Cooperation Project between the NIA (National Information Society Agency)
and ICI to provide consulting to the interoperability of PKI. Hereunder, background and objectives of
this study will be explained.
2.1. Background
Accommodating demands from various government agencies, to cope with the increasing demand for
PKI interoperability, this project was conducted by a leading Korean company on behalf of its
government.
The goals of the project: to lay foundations for a PKI network, to facilitate mutual recognition between
countries, and to provide reliable and safe Internet environments.
2.2. Objective
Objectives of this project are as follows:
The preliminary feasibility study for the vitalization of efficient and stabilized certification
system will be performed.
The future vitalization measure for Romania’s national certification system and the measure
for the technology sharing with Korea will be established through the analyses of the legal
system and the local issue in Romania;
- Analysis of the current system in Romania
- Introduction of Korea’s vitalization plan for the official certification system
9
PKI ENHANCEMENT CONSULTING
3. Scope Analysis of the international trend for PKI system. Based on the research result, the cases in Korea,
Germany and Belgium.
<Table 1 > Project Scope
Components Contents
Trend of Korea for
PKI
- Korean PKI system technology
- PKI policy, law and regulations
Trend of Germany
for PKI
- Germany PKI system scheme and technology
- PKI policy, law and regulations
- PKI operation and interoperability
Trend of Belgium
for PKI
- Belgium PKI system scheme and technology
- PKI policy, law and regulations
- PKI enabled service and mandatory
4. Team and Related Organization
4.1. Project Team
To facilitate cooperation, a team is organized as follows:
(Figure 1) Project Team
Romania: Mr. Bogdan Stroe
Korea: Mr. Sungu Jung
Providing Current Status
Arranging Interview
Attending Interview
Visioning Process
Examining To-Be Model
Mr. Bogdan Emil Stroe
Mr. Dragos Catalin Barbu
Mr. Paul Gheorghe
ICI
Analyzing Current Status
Conducting Interview
Visioning Process
Benchmarking
TO-BE Model
KICA
Project Manager
Advisor
Mr. Sungu Jung
Mr. Jongmin Choi
Mr. Seungho Ryu
Mr. Sang Lee
10
PKI ENHANCEMENT CONSULTING
4.2. Related Organization
The investigation and interview on related organization have been conducted to understand the current
PKI status in Romania. The relevant organizations or institutions are as followings:
<Table 2> Related Organization List in Romania
Organization Name
CERTSIGN (www.certsign.ro)
DIGISIGN (www.digisign.ro)
Trans Sped (www.transsped.ro)
CertDigital (www.certdigital.ro)
Alphatrust (www.alphatrust.ro)
AADR (www.aadr.ro)
Tax Declaration Service(Ministry of Finance) http://www.mfinante.ro/
11
PKI ENHANCEMENT CONSULTING
II. AS-IS Analysis
1. ICT Environment Analysis
2. Current PKI Status in Romania
12
PKI ENHANCEMENT CONSULTING
The purpose of the Research & Analysis is to derive the direction for the PKI policy recommendation
based on the implication of each study on the ICT environment, informatization status and PKI
requirements, and the comparison with best practices (benchmarking) in other countries.
One of the main purposes of using PKI technology is to provide secure e-Government services. The
analysis on ICT sector in Romania provided an insight on the general e-Government service
environment, national and government ICT infrastructure. The analysis on the result of surveys and
interviews throughout the consulting, collected from the government officials, citizens and businesses
were to find out the needs of different parties in terms of the government offering the secure e-
Government service.
<Table 3> Country Profile
Category Descriptions
Country Name Romania (Republic)
Capital Bucharest
Divisions 81 provinces and 136 chartered cities
Location Southeastern Europe, bordering the Black Sea, between Bulgaria and
Ukraine
Area
- Total: 238,391 sq km(land: 229,891 sq km, water : 8,500 sq km)
- Border countries: Bulgaria 608 km, Hungary 443 km, Moldova 450 km,
Serbia 476 km, Ukraine (north) 362 km, Ukraine (east) 169 km
Climate
Temperate: cold, cloudy winters with frequent snow and fog; sunny
summers
with frequent showers and thunderstorms
Ethnic Group Romanian 83.4%, Hungarian 6.1%, Roman 3.1%, Ukrainian 0.3%,
German 0.2 %, other 0.7%, unspecified 6.1% (2011 est.)
Population 21,666,350 (July 2015 est.)
GDP (purchasing
power parity) $392.8 billion (2014 est.)
GDP - per capita
(PPP) $19,700 (2014 est.)
Telephones –
fixed lines 4.6 million (2014 est.)
Telephones –
mobile cellular 22.9 million (2014 est.)
Internet users 11.2 million (2014 est.)
(Source: www.cia.gov)
13
PKI ENHANCEMENT CONSULTING
1. ICT Environment Analysis
The ICT environment analysis part consists of the general information and PEST (Policy, Economic,
Social and Technical) analysis. The implication is derived based on the analysis.
(Source: www.gov.ro)
(Figure 2) Government Structure
<Table 4> Penetration rates of fixed broadband internet access services at national level, respectively in
urban/rural areas: 2012 – 2014
Indicator Dec, 2012 Dec, 2013 Dec, 2014
Total no. of fixed broadband internet access connections (million) 3.5 3.8 4.0
Penetration rate per 100 inhabitants (%) 17.6 18.9 20.1
No. of fixed broadband internet access connections in URBAN area (million) 2.7 2.8 2.9
Urban penetration rate per 100 inhabitants (%) 24.6 26.0 27.2
No. of fixed broadband internet access connections in RURAL area (million) 0.9 1.0 1.1
Rural penetration rate per 100 inhabitants (%) 9.4 10.7 11.8
No. of fixed broadband internet access connections provided to residential
customers (million) 3.2 3.5 3.6
Penetration rate per 100 households (%) 42.8 46.2 48.8
No. of fixed broadband internet access connections provided to residential
customers in URBAN area (million) 2.4 2.5 2.6
Urban penetration rate per 100 households (%) 56.7 60.0 62.3
No. of fixed broadband internet access connections provided to residential
customers in RURAL area (million) 0.8 0.9 1.0
Rural penetration rate per 100 households (%) 25.0 28.3 31.4
14
PKI ENHANCEMENT CONSULTING
Total no. of mobile broadband internet access connections (million) 7.1 9.6 12.0
Penetration rate per 100 inhabitants (%) 35.4 47.9 60.2
(Source: statistica.ancom.org.ro)
(Source: statistica.ancom.org.ro)
(Figure 3) Penetration rates of broadband internet access connections: 2012 – 2014
From the data demonstrating the general ICT environment and development, consulting team
understands that the ICT sector is of strategic importance for the economy, as it can function as a
stepping stone for the development of every other industry. Romania is one of the strongest markets in
Europe for investment in technology and trade, with a highly skilled workforce, competitive costs,
top-tier investors, and a business friendly environment. Romania has quite strong telecommunication
infrastructure, and ICT education system as shown with the facts: that the country is one of the first
European countries where 4G technology has been launched; Over 5,000 new graduates enter the
labor market every year; over 8,000 software and IT services companies in Romania; no need to
mention many oversea employments of Romanian ICT experts in the USA and Western Europe,
multinational companies, namely Alcatel, Siemens, Oracle, IBM or Microsoft, created large R&D
centers and headquarters in Romania to fully take advantage of the skilled ICT workforce in Romania.
Nonetheless, Romania’s e-Government service is still in developing stage and ranked relatively low in
the measured categories: the 62th place in E-Government readiness index in 2014.
15
PKI ENHANCEMENT CONSULTING
(Source: www.unpan.org)
(Figure 4) E-government development in the European Union (EU) Member States
16
PKI ENHANCEMENT CONSULTING
2. Current PKI Status in Romania
2.1. PKI Scheme
The Ministry for Information Society (MIS) is in charge of supervising and monitoring National PKI
in Romania by the law. Under this PKI scheme, five CAs are designated as the qualified CAs to issue
certificates for citizens and companies. Romania consists of five each CA hierarchal model, but it is not considered interoperability between qualified CAs.
(Figure 5) PKI architecture in Romania
Romania is considering Modified BCA PKI model which is the combination of the Web/Internet Trust
model and BCA model. The system will allow a user to either download the CA certificate by cross-
certification or choose the certificate trust list (CTL)
17
PKI ENHANCEMENT CONSULTING
(Figure 6) Considered PKI Scheme in Romania
‘Bridge CA’ will provide PKI interoperability with EU member states as well as to enhance trust in
electronic transactions in the internal market. Building trust in the online environment is a key to
economic development. Lack of trust makes consumers, businesses and administrations hesitant to
carry out transactions electronically and to adopt new services. Qualified CAs will be connected to
‘Bridge CA’ providing interoperability with other country’s qualified CAs. However, Government CA
which issues certificates for public officers and government organizations does not exist yet in
Romania.
2.2. Legal Framework
National implementation of Regulation 910/2014 of the European Parliament, and of the Council of 13
December 1999 on a Community framework for electronic signatures define legal value of electronic
signature, requirements from the specialized supervisory and regulatory authority for qualified digital
certificates services providers, accreditation procedures, and other specific requirements.
<Table 5> Legal Recognition of Digital Signature in Romania
Compositions Sub-Compositions Descriptions
CHAPTER I:
General Provisions SSECTION 1: General Principles
SSECTION 2: Definitions
- defining electronic signature and extended electronic
signature
- related terms such as subscriber, qualified certificate,
and etc.
CHAPTER II:
The Legal Status
of the Documents
in Electronic Form
- the legal status of the electronic document which
incorporates an electronic signature or has an
electronic signature attached with it
CHAPTER III:
Certification
Service Provision
SSECTION 1: Common Provisions
SSECTION 2: Qualified Certification
Service Provision
SSECTION 3: Suspension and
Expiry of
Certificates Validity
- common provisions of Certification Service
Providers (CSPs)
- obligations of CSPs
- information of qualified certificates
- responsibilities of CSP to issue qualified certificates
- situations to suspend or revoke certificate validity
CHAPTER IV:
Monitoring and
Control
SSECTION 1: Supervisory and
Regulatory Authority
SSECTION 2: Supervision of
Certification Service
Providers business
SSECTION 3: Voluntary
- Ministry for Information Society as the supervisory
and regulatory authority
- CSP’s registration to the authority and their
obligations
18
PKI ENHANCEMENT CONSULTING
Accreditation
SSECTION 4: Homologation
CHAPTER V:
Acknowledgment
of Certificates
Issued by Foreign
Certification
Services Providers
- duties and rights of supervisory and regulatory
authority supervising CSP business
- duties of the supervisory and regulatory authority to
order the CSP to cease its activity and be erased
from the registry
- homologation agencies to check compliance with
law of secure-signature-creation devices
CHAPTER VI:
Liability of
Certification
Service Providers
- legal effect of certificates issued by foreign
certification services providers
- the liability of CSPs
- A CSP is liable for damage caused to any person
CHAPTER VII:
Obligations of
Certificate Holders
- obligations of certificate holders
- situations that certificate holders shall apply for the
revocation
CHAPTER VIII:
Administrative
Violations and
Penalties
- administrative violations and penalties to CSPs
- cases and amount of penalties to CSPs
CHAPTER IX:
Final provisions
- the level of tariffs established by the homologation
agencies for the homologation of secure-signature-
creation devices and for the additional services
As a result of studying the Romanian legal framework related to PKI the consulting team made
suggestions to improve the legal framework as below:
• Accreditation: accreditation criteria, accreditation procedure and auditing procedure for
CA applicant shall be described more in detail
• Technical requirement: PKI System, facilities/equipment and PKI standards for CA
applicant shall be described in detail
• CP/CPS: The framework of Certificate Policy and Certificate Practice Statement for CA
applicant shall be provided from the government
• In order to provide interface of the certificate from CA, a unified standard for certificate
policy should be defined
• Mandating the use of electronic signature for e-Government services could be considered
as a means of rapidly spreading the use of PKI technology
※ Korea mandated the use of digital signature for internet banking (’02.09), internet
shopping (’05.11), online stock exchange (’03.03), and public services (’06.01).
• National PKI steering committee should be considered to be established to discuss
experiences, knowledge, and pending issues among the experts from related parties
• Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE
COUNCIL on electronic identification and trust services for electronic transactions in
the internal market (EIDAS) should be reviewed and adopted properly
2.3. PKI Policy
Romanian digital signature law defines the Ministry for Information Society (MIS) as the supervisory
and regulatory body of the national PKI in Romania. The MIS is in charge of accrediting and auditing
qualified CAs. The highlights of Romanian PKI Policy are as below:
19
PKI ENHANCEMENT CONSULTING
• Qualified CA Accreditation: All qualified digital certificate providers should be
accredited by the specialized supervisory and regulatory authority
• Qualified CA Auditing: Qualification renews every 2 years; Qualified CAs should be
audited by independent external auditors; and annual verification of the systems
• Types of Certificate Providers
- Qualified digital certificates providers can voluntarily request accreditation
- Unqualified digital certificates providers shall notify to the specialized supervisory
and regulatory authority
• Regulations of the information security on e-Government Projects: Not regulated or
controlled by a specific rule or guideline
2.4 PKI Status and Services
The consulting team conducted interviews and Q&A with the person in charge at the certificate
authority to research the PKI status.
The PKI of Romania only issues simple license to the companies applied for certificate authority and
due to the absence of any standardized certificate policies (CP) and guidelines, the Romanian
government cannot have a unified certificate policy for the digital signature of electronic documents.
As of now, each certificate authority has individual policies regarding certificate and issues different
certificates with different profiles.
This inefficient national PKI makes the service customer organizations develop an application that
recognize all the different certificates issued from different authorities, leading to increase in
establishment cost.
In addition, from users’ perspective, multiple certificates should be issued to use different services.
This causes increase in cost for certificates and inefficiency in certificate management.
The current status of each service of certificate issuers is summarized as below:
<Table 6> Qualified CAs in Romania
No. Institutions PKI
Services
Major
Customers
Num. of
Certificate
Issued
Opinions from CAs
1
CERTSIGN
(www.certsi
gn.ro)
CA Service
TSA/OCSP
Service
E-Mail,
Document
Security
E-Procurement
Tax
Declaration
100,000
- As the leader of the market, Certsign
supports the idea of strengthening the
regulations such as refining the qualified CA
auditing procedures
- As the new technology such as mobile
phones and tachograph rises, new
technological standards and guidelines are
necessary
2
DIGISIGN
(www.digisi
gn.ro)
CA Service
TSA/OCSP
Service
SSL Certificate
Code Signing
Certificate
E-Health
Tax
Declaration
E-Procurement
20,000
- Expensive price of qualified certificates
deters further expansion of the digital
signature industry
- Mandatory use of the qualified certificate
for e-Government services shall stimulate
the growth of the market
3
Trans Sped
(www.transs
ped.ro)
CA Service
TSA /OCSP
Service
SSL Certificate
Tax
Declaration
CNAS
Reference
BCR Signature
20,000
- Trans Sped is in close technical
collaboration with TC TrustCenter in
Germany
Trans Sped is more focused on being ready
to comply with the new EU regulations
20
PKI ENHANCEMENT CONSULTING
called eIDAS which is aimed to be
published in 2014
4
SC
CENTRUL
DE
CALCUL
SA
(CertDigital
)
(www.certdi
gital.ro)
CA Service
TSA Service
Electronic
prescription
On-line
statements for
individuals or
companies
8,000
Current government guidelines can be
interpreted and implemented differently
depending on CAs in cases such as
certificate renewing procedure, the use of
pseudonym and renting out certificates
Technical standards such as upgrading
“SHA1” algorithm, and the use of
mobile certificate shall be updated
More use of digital certificates in public
services is necessary
5
Alphatrust
(www.alpha
trust.ro)
CA Service
TSA/OCSP
Service
Tax
Declaration 5,000
Digital certificate is mainly used for the
tax declaration of corporate . Considering
the fact that an accountant use one
qualified certificate for multiple
companies, the possibility of market
growth is still low
The comparisons of the certificate profile of five qualified CAs are as follows:
<Table 7> Certificate Profiles in Romania
Field Name Cert Sign DIGISIGN Cert Digital Trans Sped Remarks
Signature
Algorithm SHA1RSA SHA1RSA SHA1RSA SHA1RSA
“SHA2” will
upgrades at the
end of year
Subject
CN = certSIGN CA
Class 2
OU = certSIGN CA
Class 2
O = certSIGN
C = RO
C = RO
O = DigiSign S.A
OU = DigiSign
Public CA
CN = DigiSign
Qualified Public
CA
CN = Cert Digital
Qualified CA
Class 3
OU = Cert Digital
O = Centrul de
Calcul SA
C = RO
CN = Trans Sped
SAFE CA II
OU = Individual
Subscriber CA
O = Trans Sped
SRL
C = RO
DN order shall be
same
Public Key RSA 2,048 (Bits) RSA 4,096 (Bits) RSA 2,048 (Bits) RSA 2,048 (Bits) Key Length shall
be same
CRL Distribution
Point
URL=http://crl.cert
sign.ro/root.crl
URL=ldap://ldap.ce
rtsign.ro/OU=certS
IGN ROOT
CA,O=certSIGN,C
=RO?certificateRev
ocationList;binary
URL=http://crl.di
gisign.ro/qualified
rootcav2/latest.crl
URL=http://crl.ce
rtdigital.ro/rootv1
.crl
URL=https://ca.ce
rtdigital.ro/CRLs/
rootv1.crl
URL=http://crl.tc
class3-
ii.trustcenter.de/cr
l/v2/tc_class_3_ca
_II.crl
URL=ldap://www
.trustcenter.de/CN
=TC%20TrustCe
nter%20Class%20
3%20CA%20II,O
=TC%20TrustCe
nter%20GmbH,O
U=rootcerts,DC=t
rustcenter,DC=de
?certificateRevoc
ationList?base?
CRL Distribution
structure shall be
same for
interoperability
Authority
Information
Access
URL=http://ocsp.ce
rtsign.ro
URL=http://ocsp.
digisign.ro/ocsp
N/A
URL=http://ocsp.t
cclass3-II.de
URL=http://www.
trustcenter.de/cert
services/cacerts/tc
AIA structure
shall be same for
interoperability
21
PKI ENHANCEMENT CONSULTING
_class_3_ca_II.crt
22
PKI ENHANCEMENT CONSULTING
The major PKI enabled e-Government services in Romania are as follows:
<Table 8> Major PKI enabled Government in Romania
No. Institutions Descriptions
1
Agentia pentru
Agenda Digital a
Romaniei
(AARD)
http://www.aard.ro
- AARD implements and operates e-Government services such as e-
procurement
- AARD operates their own PKI system issuing unqualified certificates
for subscriber authentications
- The e-Procurement system requires two types of digital certificate:
• Login (Authentication) : Unqualified Certificate
• Document Signing (Integrity, Non-Repudiation) : Qualified
Certificate
※ Digitally signed (PKCS#7) documents are stored in database without
any verification and validation at web application server
- AARD implements and operates nationwide electronic Point of Single
Contact (PSC), aiming at streamlining government services, creating an
integrated market, and simplifying service procedures, thereby
developing an interoperable Romanian and pan-European platform
- Citizens can apply for online public services in two ways:
• Scanned electronic documents
• Electronic document with the digital signature using the qualified
certificate
※ There has been no request using qualified certificates yet due to the
low
number of PSC users
2
Tax Declaration
Service
(Ministry of Finance)
- According to the Order of ANAF (National agency for Fiscal
Administration) President, no. 2520/2010 beginning from 25.11.2010,
the big and medium size corporate tax payers as well as their secondary
headquarters are OBLIGED to do the tax declarations by electronic
means of remote transmission
- Qualified certificates are to control e-document securely which is
generated in three cases: Tax declaration; Securing transactions
between Bank and TRF(Transform Registry); e-Payment (planning to
use qualified certificate)
- Digitally signed(PKCS#7) document is verified and validated at web
application server before its storage to the database
- Most banks are using SSL(Secure Socket Layer) and OTP(One Time
Password) for the security of e-transactions. Only a few banks are using
qualified certificate
23
PKI ENHANCEMENT CONSULTING
1.2.5 Major findings of PKI
The major findings of PKI status in Romania are summarized in the table below:
<Table 9> Major Finding
No Category Findings Tasks
1 PKI Scheme
No inter-sectoral
working group related to
PKI
- PKI steering committee, with the members
including the qualified CAs and major PKI
vendors, should be created as a place to discuss
regulatory and technical issues of PKI,
especially the Bridge CA project
2 Legal
Framework
The regulations may not
reflect the rapidly
developing technological
environment
- Legal framework should recognize the uprising
of new technologies such as mobile phone,
digital TV, internet Phone, and etc.
- The contents of new EU regulation, eIDAS,
shall be revised based on the need and change
of the market
3 PKI Policy
Detailed Qualified CA
guidelines may promote
the digital signature
market
- Romanian regulations or guidelines on
accrediting and auditing CAs shall fully
comply with the related EU regulations
- PKI policy to promote the market is necessary
4 PKI Industry
Overview
Qualified Certificates
are used only for limited
cases
The market growth is
fairly slow
- More e-Government applications have to be
implemented based on the secure PKI
technology
- Due to the expensive certificate price, the PKI
market hasn’t activated yet
5
Certificate
Profile
(Validation)
Romania’s technical
standard is not up-to-
dated
- Key length and hash algorithm shall be
considered to be upgraded
• Subscriber Key : more than 2,048 bits
• Hash algorithm : more stronger than
“SHA2”
※ Technical standards for the interoperability
among CAs shall be considered
6
PKI enabled
e-Government
Services
Qualified certificate
validation is not
universal
- Validation procedure at web application servers
shall be enhanced
- Implementation of VA(Validation Authority)
can be considered as a means to increase the
efficiency of the qualified certificate
validation
24
PKI ENHANCEMENT CONSULTING
III. International
trend for PKI
1. The Current State of Korea PKI
2. The Current State of Brunei PKI
3. The Current State of Kenya PKI
4. The Current State of Cameroon PKI
5. The Current State of Germany PKI
25
PKI ENHANCEMENT CONSULTING
1. The Current State of Korea PKI
1.1. Overview
The consulting team studied the Korean case with the contents of current Korean PKI certification
system, digital signature-based authentication technology, certification policy, digital signature and
law/regulations.
<Table 10> Scope of Benchmarking of Korea
Subject Contents
Law, Policy, Standards
Electronic Signature Act, Decree and Ordinance
Certification Practices Statement
Electronic Signature Certification Technology
PKI Model
Government PKI
National PKI
Electronic Signature Promotion
Interoperability among Accredited CAs
Provide User’s Convenience
Cross certification for NPKI and GPKI
Mandating Accredited Certificate (bank, stock)
End of Certificate Free Trial Period
Upgrading of PKI technologies
Division of PKI Markets
Addition of Root CA Certificate to MS IE
PKI Applications E-Procurement, Internet Banking, Payment Gateway, G4C etc
1.2. Status of Laws and Standards
1.2.1. Electronic Signature Act
The Korean Electronic Signature Act (“KESA”) is enforced by the Electronic Signature Act
Enforcement Decree and Electronic Signature Act Enforcement Regulations. Four subordinate rules
also exist governing CA accreditation, Accredited CA’s operation and protection measure, and
subscriber’s Identification and authentication procedures. Based on the statutory and technical
authorities, the Electronic Signature Certification Technology and the CPS (Certificate Practices
Statement) are put in operation.
26
PKI ENHANCEMENT CONSULTING
(Figure 7) Structure of electronic signature
<Table 11> Count of law and standards
Type Act Decree and Regulation Notification Standards
Count 1 2 4 33
Definition
Electronic signature is unique information which identifies a person who made an electronic
document and confirms whether the electronic document has been modified or not. The
electronic document has functions such as self-identification, secret protection and tampering
prevention, document forgery and denying himself.
Necessities
Electronic Signature Act is to increase the stability and reliability of electronic documents.
The electronic signature has functions of identification, authentication, and guaranteeing
integrity of electronic document, confidentiality and non-repudiation, and fulfills conditions of
written document and signature by the law. The electronic signature is an introduction to
authentication system to secure stability and integrity of electronic signatures and to activate
usage of electronic documents.
Requirements
o Not changeable : Person who does not have key cannot modify electronic document
o Not forgeable : Person who does not have key cannot create electronic signature
o Not reusable : Electronic signature of document A cannot be replaced by electronic
signature of document B
o Identification : Person who owns the key is the one who performs electronic signature
o Non repudiation : Prevent from repudiate the act of signing for person who has the
key and has performed electronic signing
Fields
o Common electronic commerce
Internet shopping, booking system, billing, goods transport, information
sharing
o Financial field
Internet banking, cyber stock exchanges, insurance, electronic money
o Public field
27
PKI ENHANCEMENT CONSULTING
Civil affairs, public document distribution, auction, legal permission, tax,
procurement, in-export clearance, electronic application
o Others
Electronic mails, long distance medical performance, electronic notaries,
electronic verification
History
o Electronic Signature Act: Enacted (Feb, 1999) Decree and Ordinance: enacted (Jun & Aug, 1999)
o Electronic Signature Act: Amended (Dec, 2001)
Decree and Ordinance: Amended (Jun & Aug, 2002)
3 Kinds of Rules and Guidelines: enacted (Nov, 2002)
o Electronic Signature Act as Amended (Dec, 2005)
Division of PKI Markets: To resolve the unfair trade issues arising out of
competition between corporations and non-profit organizations, the KESA
assigns a separate market to non-profit organizations and entities established
by a special law. Section 4.
Unification of accreditation standards: The KESA mandates unification of
different accreditation standards of each CA, and imposes penalties on
violators, thereby guaranteeing stability and reliability in accreditation.
Section 6.
Specification of CPS: The KSEA mandates clarification of the e-signature
accreditation guidelines for CA’s daily operation, and the public access to
them. Section 8.
Ban on discretionary acts and allowance of administrative order: The
amended act authorizes issuance of administrative orders against failure to
report any system error or failure to purchase insurance policies. Section 11.
Specification of audit procedure and scope: To prevent abusive use of
discretion, the KESA clarifies ambiguous or vague provisions, audit criteria
and procedure, paving the way for clean and transparent administration. .
Section 14.
Specification of counter-actions against accreditation errors: The amended
KESA stipulates provisions arising out of normal business operations such as
shutdown of the accreditation system, and thus protects users. Section 22.
Expanded protection for generation of e-signatures: In the past, the KESA
was silent on the use of accredited certificates other than the purpose of
originally authorized. Thus, it was not possible to prosecute even a person
who used, without authorization, the certificate of another person. Section 23.
Reasonable burden of liabilities and insurance obligation for CA: The
previous version of the KESA held CA liable even for any damage arising out
of force maneuver. The amended KESA grants immunity to the CA if it
proves that the damage is not caused by its negligence, and mandates the CA
to take out a liability insurance policy to protect the customers. . Section 26.
Organization of accreditation policy board: To foster fair competition and
balanced development of the market, the amended KESA authorizes
establishment of an accreditation policy board, and empowers it to review
major policies for development of the market. Section 26.
Specification of penalties: The amended KESA fines any entity that requires
certain certificates over the other in violation of interoperability up to 5
million won. . Section 32.
Contents
o Section 3 of the KESA grants legal authority to the accredited e-signatures to boost
the e-commerce.
28
PKI ENHANCEMENT CONSULTING
Any duly accredited e-signature is deemed as lawful and legal execution.
It is presumed that if execution of an instrument is made with an accredited e-
signature, said instrument is deemed duly authorized and has not been forged.
o Minister of Information and Communication* designates CA.
To secure reliability and authority of e-signature accreditation, the
government, pursuant to the KESA, acknowledges accreditation authorities,
and the Minister of Information and Communication may designate CA from
any eligible central and local government (agency) or corporation. The KESA
also defines eligibility and qualification of CA employee. . Section 4 & 5.
The KESA relegates to the implementation rules (i.e. presidential executive
order) and the authority defines details on the procedure and criteria of
designating CA. Section 4.
o Accreditation management system to guarantee continuity and appropriateness of
accreditation
The KESA defines details about the CA and its business operation, including
how to report accreditation standards, and how to hold or close business
operation of the CA. Section 6 - 10.
The KESA also stimulates how a CA should conduct its business operation
and when to be revoked designation and launch inspection to make sure its
business operation complies with relevant laws. Section 12 & 14.
o Issuance of Certificates
To secure reliability in accreditation, the KESA specifies what should be
incorporated in a certificate, when to issue a certificate and what leads to
suspension or revocation thereof. Section 15 - 18.
o Protection of privacy
The KESA articulates its privacy policy, prohibits, for example, unauthorized
collection, use and disclosure of personal information, and penalizes any
violator. Section 24 & 32 - 34.
o Mutual recognition of certificates issued by foreign authority
Based on the mutual reciprocity principle, the KESA acknowledges the
certificates issued by foreign authorities pursuant to international treaties.
Section 27.
o Obligations and duties of CA
The KESA obliges the CA to, for example, take measures against forgery,
conduct business operations in stable and reliable way, and safely manage e-
signature keys and relevant documents. Section 19, 21 & 22.
The KESA holds the CA liable for any harm or damage caused to the user
arising out of its mal-performance or negligence. Section26.
o Protection of e-signatures and e-documents
To protect the reliance and trust of the public in e-signature and e-document,
the KESA prohibits unauthorized use of another person’s personal
information or e-signature key, and prosecutes any violator. Section 23, 31 &
32.
o Establishment and operation of Korea Certificate Authority Center
The KESA authorizes the KISA to operate the Korea Certificate Authority
Center to manage CA’s efficiently and encourage safe use of e-signatures.
Section 25.
1.2.2. Electronic Signature Act Enforcement Decree, Regulations
Major Points
29
PKI ENHANCEMENT CONSULTING
o Accreditation Criteria At least 12 specialized employees are secured to maintain the 24-hour
operation system and to develop relevant technologies.
The initial capital should be at least 8 billion won.
Pursuant to the laws and regulations, a CA has relevant equipment and
facilities, for example, for identification of subscriber, e-signature key
maintenance, safe and reliable management of certificates, verification of e-
signatures and execution times, and protection of certification management
system.
The core certification system shall be operated by at least two operators, and
be duplex-structured against any system failure.
o Independence of CA
A CA shall be independent and free from any interest with the party
subscribing to its certification service.
o CA designation procedure
An entity wishing to be designated as a CA may submit the application and
relevant documents to Minister of Information and Communication.
After screening the applicant in terms of technical and financial qualifications,
the Minster may grant the application upon finding the applicant eligible.
1.2.3. Notifications
Hereunder, a brief explanation will be given concerning four subordinate rules governing publication
of information.
Rules on Accredited Certification Authorities’ Facilities and Equipment
o The object of these regulations is to lay down details of facilities and equipment
pursuant to the provision of Sub clause 3 of Clause 1 of Section 2 of the Enforcement
Decree of the Electronic Signature Act and internal regulations pursuant to the
provision of Sub clause 4 of the same Clause in connection with the asymmetric
encryption-based electronic signature technology.
Rules on Accredited Certification Authorities Protective Measures
o The object of these regulations is to lay down details of the protective measures that
certification authorities must take to ensure the safety of certificatory service facilities
in accordance with Section 18-3 of the Electronic Signature Act and Section 13-4 of
the Enforcement Regulations of the same Act.
Guideline on Electronic Signature Certification Practices
o The object of this guideline is to lay down details of what certification authorities
must observe in performing certification services by means of asymmetric encryption
in order to ensure safety and reliability of certification practices in accordance with
Section 8 of the Electronic Signature.
Methods and Procedures for Identification and Authentication through Representatives
o The purpose of this notification is to define the method and procedure of certification
authorities' identifying those who want to have a certificate issued by the
representative in accordance with the provisions of the latter part of Clause 1 of
Section 15 of the Electronic Signature Act and Clause 3 of Section 13-2 of the
Enforcement Regulations of the same Act.
1.2.4. Major details of electronic signature Act
Certified electronic signature & Not-Certified electronic signature
30
PKI ENHANCEMENT CONSULTING
o The coexistence of certified electronic signature and not-certificated electronic
signature is approved
o The certified electronic signature satisfies the requirement of the signature by Act
<Table 12> Differences between certificated signature and not-certified signature
Differences Certified electronic
signature(CA)
Not-Certified electronic
signature
Effects Signature by Act Personal agreement
Effect as evidence in the
code of legal procedure Presumptive effect (○) Presumptive effect (×)
Damage suit Accredited Certification Authority
(Wrongdoer) Victim
Definition of certified electronic signature and its requirements o The markup information for electronic signature must belong only to the subscriber
o The subscriber must own and manage the markup information at the time of signing
o It must be able to confirm whether the proper electronic signature has been modified
or not
Electronic signature certification systems
(Figure 8) NPKI model in Korea
o MOPAS (Ministry Of Public Administration And Security)
Put into order the Act and regulation
Construct national certification system
Assign and control certification authorities
o KISA (Korea Information Security Agency)
Operation of national certification management system
Screening for the certification authorities assignment
31
PKI ENHANCEMENT CONSULTING
Issue certification authority certificates
o Accredited Certification Authority
Establishments of Certification work regulation
Provision of Certification services
Issue certificates for subscribers
Annul and Renewal of certificates
Procedure of assignment for accredited CA
(Figure 9) Procedure of assignment for accredited CA
Compensation responsibility of CA
o Related to the certification work at CA, when CA causes any damage or loss to the
user and the subscribers CA has to compensate to the users
o User protection through the demonstration
o CA protection base on the general principle of Act
<Table 13> Compensation responsibility of CA
Statue Act Revised Act of the year
2001
Revised Act of the year
2005
Force majeure,
On propose of the user,
Fault of the user.
In case of force majeure,
decrease the responsibility
of compensation,
When CA proves that there
is no reason to compensate,
there is no responsibility
for CA to compensate.
In case of force majeure,
no responsibility of
compensation
When CA proves that there
is no reason to compensate,
there is no responsibility
for CA to compensate
32
PKI ENHANCEMENT CONSULTING
1.2.5. Certification Practices Statement (CPS) The root CA and accredited CA’s shall post the CPS on their homepages and, thus, provide the users
with access thereto all the time. The CPS should contain information on, for example, management of
certificates and key pairs, supplementary services, RA management, and audit management. The table
below contains details incorporated in a CPS.
<Table 14> Contents of CPS Contents Detail
Management of
Certificates
- Transmission of Registered Information
- Request for Issuance of Certificate
- Generation of Certificates
- Request for Suspension, Restoration and Revocation of Certificates
- Generation of Certificate Suspension and Revocation List
- Public Announcement and Validation of Certificates
Management of
Key Pairs
- Generation of Private Pairs
- Protection of Private Pairs
- Backup of Private Pairs
- Revocation of Private Pairs
- Loss, Destruction, Theft or Leakage of Private Keys
Other
Certification
Services
- Provision of Time Stamping
- Time Reception and Correction
- Storage of Time Stamping Records
- Storage of Electronic Documents
- Backup of Time Stamping Records
- Other Supplementary Services
Others
- Conformity with Technical Specifications
- Scope and Intended Use of Certificates
- Conformity to Certification Procedure
- Matters concerning Facilities and Equipment
- Management of Certification Service Records
- Management of Certification Service Records through the representative
- Management of Audit Records
- Management of Registration Authorities
- Test Run of Certification Practice
- Correct Provision of Information and Public Notification
1.2.6. Digital Signature Certification Technology
The Digital Signature Certification Technology is a type of technical standards tailored, based on the
international standards, for South Korea.
Profiles
o RFC3280 serves as basis for the accredited certificate and the CRL profiling.
Certificate Profile for Accredited Certificate
Wire Certificate Profile for Accredited Certificate [V1.10] 2008.10
Wireless Wireless Certificate Profile for Accredited Certificate [V1.21] 2001.08
Certificate Revocation List Profile for Accredited Certificate
Wire Profiling on Certificate Revocation List for Accredited Certificate [V1.10] 2008.10
33
PKI ENHANCEMENT CONSULTING
Wireless Wireless Certificate Revocation List Profile for Accredited Certificate [V1.21] 2001.08
Distinguished Name Specification
Common Distinguished Name Specification [V1.10] 2008.10
o This is a standard for indicating accreditation of a certificate. Mark Specification for Accredited Certificate
Common Mark Specification for Accredited Certificate [V1.00] 2008.10
o It is necessary to generate and verify identification of a person, legal or natural, with
SSN or Business Tax ID without disclosure thereof. Thus, relevant procedure should
be provided.
Subscriber Identification Base on virtual ID
Common Subscriber Identification Base on virtual ID [V1.11] 2008.10
Algorithms
o The algorithm used for accreditation purposes shall be defined. One feature of Korea
lies in that it has developed “tailored” algorithms (e.g. KCDSA, HAS-160, SEED,
etc.), along with their international counterparts (e.g. RSA, SHA-1, 3-DES, etc.), and
mandated their use.
Certificate Profile for Accredited Certificate
Wire RSA RSA Laboratories PKCS#1, "RSA Crytography
Specications"
2002.06
ANSI X9.31, "Digital signature Using Reversible Public Key
Cryptography for the Financial Services Industry (rDSA)"
1998.09
KCDSA TTAS.KO-12.0001/R1, Digital Signature Mechanism with
Appendix - Part 2: Certificate-based Digital Signature
Algorithm
2000.12
Wireless RSA RSA Laboratories PKCS#1, "RSA Cryptography
Specifications"
2002.06
ANSI X9.31, "Digital signature Using Reversible Public Key
Cryptographyfor the Financial Services Industry (rDSA)"
2001.08
ECDSA ANSI X9.62, "Public Key Cryptography for the Financial
Services Industry : The Elliptic Curve Digital Signature
Algorithm(ECDSA)"
1998.09
Common Digital Signature Algorithm Specification[v1.20] 2008.10
Hash Algorithm Specification
Wire SHA-1 FIPS PUB 180-1, "SECURE HASH STANDARD" 1995.04
HAS-
160
TTAS.KO-12.0011/R1, Hash Function Standard – Part 2:
Hash Function Algorithm Standard(HAS-160)"
2000.12
Wireless SHA-1 FIPS PUB 180-1, "SECURE HASH STANDARD" 1995.04
Common Hash Algorithm Specification[v.1.10] 2008.10
Encryption Algorithm
Common 3-DES FIPS PUB 46-3, "DATA ENCRYPTION
STANDARD(DES)"
1999.10
SEED TTAS.KO-12.0004, 128-bit Symmetric Block
Cipher(SEED)
1999.09
34
PKI ENHANCEMENT CONSULTING
Private-Key Encryption Scheme Specification Using the SEED
Algorithm [v1.20]
2008.10
Management Protocols
Certificate Request Format
Wire Online Certification Request Message Format Protocol
Specification [V1.20] (preparing)
2008.10
Offline RSA Laboratories PKCS#10, "Certification Request
Syntax Standard"
2005.05
Wireless Online Wireless Certification Request Message Format Protocol
Specification [V1.32] (preparing)
2003.12
Offline RSA Laboratories PKCS#10, "Certification Request
Syntax Standard"
2005.05
Common The ReferenceValue/SecretValue Specification for Issuing
Accredited Certificate [v1.10]
2008.10
Operation Protocols
Directory Operation Protocol
Common LDAP Specification [V1.10] 2008.10
Time Stamping Protocol
Common Time Stamp Specification[V1.10] 2008.10
Network Time Protocol
Common Network Time Specification[V1.10] 2008.10
Path Construction and Verification Protocols GPKI and NPKI Interoperability Specification
Common The CTL Technical Specification for Interoperability of Certification
Authorities [V1.30]
2008.10
Online Certificate Validation Protocol
Wireless Online Certificate Validation Protocol [V1.20] 2008.10
Accredited Certificate Path Validation Specification
Common Accredited Certificate Path Validation Specification [V1.10] 2008.10
Others User Interface Specification for the Interoperability of Accredited Certification Authorities
Common User Interface Specification for Accredited CAs [V1.70] 2008.10
Storage Specification for PKI information into HSM
Common Technical Specification for HSM based Certificate Format [v1.10] 2008.10
Application Interface Specification for HSM
Certificate Management Protocol for Accredited Certificate
Wire Certification Management Protocol Specification [V1.20] 2008.10
Wireless Wireless Certification Management Protocol Specification [V1.32] 2003.12
Certification Management Protocol Specification [V1.00](preparing)
35
PKI ENHANCEMENT CONSULTING
Common Specification of the Use of Certificates HSM based [v1.80] 2008.10
Cryptographic Key Protection Specification
Common Cryptographic Key Protection Specification [V1.10] 2008.10
Accredited Certificate Updating Specification
Common Accredited Certificate Update Specification [V1.10] 2008.10
Specification for Storing and Using Certificate in Mobile Device
Common Certificate Management in Mobile Device [v1.10] 2008.10
Specification for Transferring Certificate via Mobile Phone
Common Certificate Transmission From PC to Mobile Device[v1.10] 2008.10
1.3. PKI Model
1.3.1. PKI Scheme
South Korea has two PKI structures: GPKI (Government PKI) and NPKI (National PKI). <Table 15> GPKI and NPKI
GPKI NPKI
Act Established in 2001 pursuant to e-
Government Act
Established in 1999 under Electronic
Signature Act
Ministry
in Charge
MOPAS(Ministry Of Public
Administration And Security
MOPAS(Ministry Of Public
Administration And Security
Root CA GCMA (http://www.gpki.go.kr) KISA (http://www.rootca.or.kr)
Main
Customer Public Servants Individuals, Companies
Business
Area G2G, G2B and G2C C2C, B2C, B2B, G2B, G2C, etc.
The KESA laid legal grounds for the NPKI, which was established in 1999. The MOPAS (former,
Ministry of Information and Communication) supervises all procedures and the KISA functions as the
root CA. On the other hand, the GPKI was founded in 2001, pursuant to the E-Government Act. The
MOPAS takes charge of it, and the GCC assumes the role of the root CA.
(Figure 10) Procedure of assignment for accredited CA
36
PKI ENHANCEMENT CONSULTING
1.3.2. GPKI (Government PKI)
Background
o Since April of 2000, the GPKI center has handled all matters related to e-signatures of
government agencies. For example, it verifies identification of the sender or receiver
of government e-documents, prevents forgery thereof, and has set up a certification
system to secure safe circulation of government e-documents. The hierarchy of
certificate management starts from the highest CA (MOPAS’s performing roles of CA
and RA, or Registration Authority), down to CA designated by the MOPAS,
registration bodies designated and operated by CA’s, and to remote registration bodies.
At each level, accreditation or relevant works are performed based on certificates.
History o GPKI system was constructed in April 2000 and completed its duplexing in December
2008
GPKI services have been provided to the Administrational EDI since May
2000
GPKI standardized security APIs were developed and supplied in October
2000
o Relevant law and regulations ,in order to introduce GPKI, has been established in
February 2001
o GPKI management system extended from November 2001 to May 2002
o The cross certification between NPKI and GPKI constructed in April 2002
o Korean GPKI constructed in July 2002
Installed and supported GPKI system to registry digital signatures to 25
Registration Authorities from October to December 2002
o The groundwork of GPKI encryption key management had been derived from
February to July
o Wireless Certification System was constructed and advancing certification services
was derived in December 2004
o Wire/wireless Integration Certification Management Center constructed in December
2005
o GPKI Encryption key management system was constructed in February 2006
o Government digital signature authentication and encryption key management system
advanced in November 2007
Relevant Laws
o The Promotion of E-Government Act (Enacted in February of 2001)
Section 20. Certification of e-signatures
Authorities in charge of e-signature certification
(Supreme Court and four Ministers in charge)
Duly certified e-signatures are deemed identical to official seals
o Implementation Rules of the Promotion of E-Government Act
Section 11. Certification of e-signatures
The [MOPAS] operates the GPKI center under its command.- Root CA
o Section 57. Relegation and commission of accreditation
The head of the MOPAS may, in his/her discretion, designate and authorize
as Accredited CA a body of the central government or a local government.
37
PKI ENHANCEMENT CONSULTING
Expected effects
o Expected to realize reliable and secure e-administration through construction of
unified certification management system and increased system security
o Expected to enhance “administrative productivity” under the guarantee of security by
the GPKI center and, thereby, through encouragement of e-administration and sharing
of administrative information
o Expected to provide a secure and convenient e-administration service to the public
under the guarantee of privacy of each citizen
Certificate of government e-signature
o Definition: The term “certificate of government e-signature” refers to electronic
information issued to government agencies and workers to verify and prove
authenticity of a government e-signature.
o Usage
Online verification of identity (Certification of government workers and computers)
E-signature (official or personal seal)
Encryption (Confidentiality of documents through transmission)
<Table 16> Type of Certificate
Types Intended Receiver Purpose
For
Official
Use
Electronic
seal
Division of an agency authorized
to have an official seal
To be used to verify identification
related to administrative works
requiring receipt/transmittal
confirmation
Special
electronic
seal
A government body that is
authorized to have an official seal
pursuant Section 36 of the Work
Management Guidelines
To be used for works requiring
special official seals
For
computer
Computer system that processes
administration electronically (e.g.
server, etc.)
To be used for administrative
works that a computer system
continuously processes by some
rules
For Individual Use Government employees
To be used for user certification,
online payment, secured e-mail,
access to VPN, etc.
Status on certification of government e-signature o Hierarchy of certification of government e-signature (as of December 2005)
<Table 17> Status of GPKI
Type Role Organization
Root CA Certification of Accredited CAs MOPAS
CA
Certificate issuance and
management for government
employees
Accreditation and operation of
Registration Authorities (RA)
Five government agencies including
Supreme Public Prosecutors’ Office,
Supreme Court, Ministry of Education
and Ministry of Defect
RA
User identification and registration
management
Accreditation and operation of
29 government agencies including Office
of Presidential Chief of Staffs, Office of
Presidential Secret Detail, Korea Tax
38
PKI ENHANCEMENT CONSULTING
remote RAs Service, etc.
Local RA User identification and registration
operation
500 agencies including National
Intelligence Service, Ministry of
Planning and Budget, Board of Audit and
Inspection, etc.
Government
Employee
Use of digital signature, encryption
and certification service
Government employees and authorities
who issued and are using certificates
Construction and operation of unified certification system
o wire and wireless issuance system of GPKI certificates
o Application of the standard API to e-signature and encoding
o Unified verification of GPKI and NPKI
Development and distribution of API
o 4th version distributed in Jan., 2005: Supporting certificates of NPKI and GPKI, and
performing unified certification
o 5th version distributed in Jan., 2006: Augmented security against hacking, and
improved performance
o Each agency has to prepare maintenance plans upon application of new application
services
o Application process
<Table 18> Application Process
Type Detail
Process
Discussion about application of security module submission
of written request (to agency in charge) receipt of request
transmission of reply technical support transmission of
prototype (to agency in need)
Scope Central and local government agencies
Options/language HP-UX, AIX, Redhat, Solaris and Windows; C, C++ and JAVA
Unified verification service
o Supporting verification of GPKI and NPKI certificates with an application through the
unified verification server
o Centralized management of certification policies makes easier to reflect new
technology and relevant standards to the policies
o Easy to apply the security module and to detect problems by an application developer
without having knowledge about certification
Management service of authorized access
o Provision of the SSO (i.e. Single sign on) and unified authorization services for G4C,
eNana, GKMC and at the certification management center
o Verification of interoperability KMS
Observance of wire and wireless GPKI standards, and a guarantee for stability and norm of the
national infrastructure
o Technical standards of certification to verify technical eligibility of the national
certification management center
Wire PKI: Certificate, CRL/ARL, CTL, CMP, OCSP, TSP,
Encryption/Decryption, Digital Signature
Wireless PKI: WCMP, SignedContent, WAP Envelopedata Verification
39
PKI ENHANCEMENT CONSULTING
o Failure to meet the standards leads to vulnerability to hacking, and to difficulty in
compatibility and expandability
(Figure 11) GPKI System Configuration
Future development directions
o Certification service improvement
Improvement of certification services such as certificate verification
Increase the use of standardized security APIs
Enhancing the education and training for persons in charge of certification
and users
Development of applications using GPKI
o Laws and regulations Realization of certification policy and CPS
Establishment of criteria for CA auditing and qualifications
Improvement of laws and regulations with regard to encryption key recovery
system
o Operation and management
Government and private cooperation and presenting technical cooperation
system (such a cooperation system of KISA and private CAs)
Establishment of the policy council of GPKIs and regularization
o Wireless certification service Finding wireless GPKI services
Deriving the promotion tasks of wireless GPKI and presenting improvement
methods
40
PKI ENHANCEMENT CONSULTING
1.3.3. NPKI (National PKI)
The NPKI consists of the root CA and accredited CA’s, and roles and structures are shown in the
figure below.
MOPAS
Law & Policy arrangement
National authentication plan management
Accredited CA management
Root CA (KISA)
National authentication & system
operation
Field test for accredited CA accreditation
Issue a certificate for a licensed CA
Accredited CA (ACA)
Authentication management
Provide CA service
Certificate issuance
Certificate termination / renewal
(Figure 12) NPKI System Organization
1.3.3.1. Root CA (KISA) - Korea Certificate Authority Center Background
o The Korea Information Security Agency (KISA) was established in April 10, 1996
under the provision of section 52, Promotion of Utilization of Information and
Communication Network and Data Protection Act.
o Organization chart
(Figure 13) Organization chart of KISA
Missions of KISA
o Major working area
Internet incidents response & prevention
Private information and Privacy protection
41
PKI ENHANCEMENT CONSULTING
Combating illegal spam
Digital signature management; the Root CA for NPKI
Information Infrastructure protection
IT security products evaluation
Information security policy/technology development
Roles of Root CA
o Operation of Root CA systems: issuing certificates to ACAs, and managing them
o Accreditation Requirement
Financial Capability : More than 8 million US dollars
Personnel Capability : More than 12 persons for CA operation
Facilities and Equipment : Subscriber Registration, Key Management,
Certificate Management, Subscriber’s S/W and Security Operation
Procedures
o CA Accreditation Renewal
Accreditation is valid for 2 years : Apply to MOPAS no later than 30 days
before its expiration
o Accreditation Procedure
(Figure 14) Accreditation Procedure
Accredited CA Management: Actual Examination and Regular Audit for CAs o KISA audits accredited CAs’ operation every year, and verifies whether the CAs
manage their operations securely
o KISA provides self-assessment guideline to accredited CA
42
PKI ENHANCEMENT CONSULTING
(Figure 15) Procedure for regular audits
CA Audit Items
<Table 19> CA Audit Items
No. Item Description
1 Certification Service Secure operation procedure such as certificate issuance
2 Key Management Secure operation and management procedures for CA key
3 Other certification
Service
Secure and reliable service like time-stamping
4 Facility and Equipment
Management
Secure and reliable operation and management for CA
system, Network facilities, Physical access control equipment
5 Documents and Record
Management
Management of CA operation rules and certification record
6 Test Operation and
Information providing
Accuracy of CA information providing, secure test operation
7 Network, System and
Physical facilities
Security and reliability of network, system, physical facilities
8
Disaster Recovery and
Business Continuing
Process (BCP)
Security and maintenance of disaster plan
Management of BCP plan and personnel
To conduct researches on legal and policy issues of Electronic Signature
To develop technical standards for National PKI: Diffuse new technologies related to
Electronic Signature and standardize them
To promote electronic signature usage
To support International Cooperation: Research on certification service and mutual
recognition
1.3.3.2. Accredited CAs Statistics on Accredited CAs (As of June, 2006; published by MIC)
o South Korea now has five accredited CA’s: SG, KOSCOM, KFTC, CrossCert and
KTNET.
<Table 20> Statistics on Accredited CAs
No. Accredited CA/Web site Accredited
Date Characteristics
Main Business
Area
1 SGCA(SignGATE)
http://www.signgate.co.kr 2000. 02. 10 Corporation All industries
43
PKI ENHANCEMENT CONSULTING
2 KOSCOM (CA: SignKorea)
http://www.signkorea.com 2000. 02. 10
Special purpose
Corporation Cyber trading
3 KFTC (CA: yessign)
http://www.yessign.com 2000. 04. 12
Non-commercial
Organization Internet banking
4 CrossCert (CA: CrossCert)
http://gca.crosscert.com 2001. 11. 24 Corporation All industries
5 KTNET (CA: TradeSign)
http://www.tradesign.net 2002. 03. 11
State-run
Corporation with
special mission
Trading
RA and E-Service Provider (08’ 09.30, MOPAS)
o A RA (i.e. registration authority) refers to an entity which verifies the identity of a
user, while a service provider means an entity which uses accredited certificates for its
services. (As of September 30, 2008; published by MOPAS)
<Table 21> Statistics on RA and e-Service Provider
CA RA Service Organization Notes
KICA 141 281
KOSCOM 94 135
KFTC 22 301
CrossCert 52 63
KTNET 28 36
Total 337 816
Types of Accredited Certificate and Fees
o Certificates have two purposes: general purpose and specific purpose. The certificates
of general purpose are used for any type of transaction and each of them costs US$4
for an individual and US$100 for a corporation. On the other hand, the certificates of
specific purpose are used for a certain transaction only such as banking. In the latter
case, the fees are borne by the business entity.
o Consumers began to pay fees for corporate certificate of general purpose since 2000,
and for individual certificate of general purpose since June of 2004.
<Table 22> Types of Certificate and Fee
Types Entity Certificate Usage Field Fee
General Individual All electronic transactions 4,400 won ( US$ 4)
Corporation All electronic transactions 100,000 won ( US$ 100)
Specific
- G2C, Bank, Insurance Free
- G2C, Stock, Insurance Free
- G4C, Credit Card Free
Number of Users and Certificates Issued (as of February 28, 2009; published by MIC)
o Approximately 29 million certificates have been issued. Individual users take out
certificates for purposes such as Internet banking, stock trading and credit card
payment, while corporate users for online procurement, tax payment, and other
payments.
44
PKI ENHANCEMENT CONSULTING
<Table 23> Statistics on issued certificates
Number of annual issuance of certificates (08’ 09.30, published by MOPAS)
o Issuance has been on steady rise since 2000, and is expected to continue the trend
considering the increasing demand for wireless accredited certificates and device
certificates.
(Figure 16) Annual Issuance of Certificates
CA Server
Individual
Corporation Total General
Purpose
Specific Purpose
Bank/
Insurance
Stock/
Insurance
Credit
Card
Special
Purpose
KICA 2992 803,606 1,027,421 0 5 66,348 446,225 2,346,597
KOSCOM 707 1,270,163 0 2,728,417 333 112,967 112,706 4,225,293
KFTC 287 284,113 20,192,180 0 0 0 1,972,121 22,448,701
CrossCert 442 404,795 676 0 0 53,083 193,405 652,401
KTNET 261 2,778 0 0 0 11,221 139,947 154,207
SUM 4,689 2,765,455 21,220,277 2,728,417 338 243,619 2,864,404 29,827,199
45
PKI ENHANCEMENT CONSULTING
2. The State of Brunei PKI
2.1. E-Government Institutional Structure
E-Government National Centre played a leading role for organization establishment in order for each
government agency to conduct e-services through mutual cooperation between government authorities
(Figure 17) e-Government Institutional Structure in Brunei
EGLF (E-Government Leadership Forum) o Chaired by Minister of Energy, PMO.
o Members consisting of Permanent Secretaries from Ministries
o To modernize the civil service in meeting the public service delivery expectations and
managing the challenging demands of a dynamic environment through increased
usage of ICT.
o To set strategic policy directions and be accountable for the overall delivery of the e-
Government initiative and
o To give quarterly report to His Majesty the Sultan and Yang Di-Pertuan of Brunei
Darussalam
Overall Government CIO o Deputy Permanent Secretary at PMO
o To identify, create and realize more value to current and proposed systems and
applications to best serve the Government, citizens, communities and businesses
particularly on citizen-centric services.
o To ensure alignment of the e-Government programs and projects are aligned to the
strategic direction and any other directive from the EGLF.
o Managing performance and feedback from Ministries CIO
o Escalate matters raised by CIO and cascade directives from EGLF
EGNC (e-Government National Centre)
o Service Operation for Government
o ICT Central Procurement
46
PKI ENHANCEMENT CONSULTING
o ICT Human Resource Management
o Strategic e-Government planner *
o Technical Advisory *
o EGLF secretariat *
o Note: * Previously the role of E-Government Technical Authority Body (EGTAB)
CIO Meeting (*previously known as CIO Dialogue)
o Chaired by Overall Government CIO
o Gather inputs from CIOs at the various Ministries and reports them to EGLF
o Cascading of policies, guidelines etc.
o Endorsing non-flagship e-Government projects
Industry Dialogue Session
o Chaired by overall Government CIO
o Attended by representative from the ICT industry including IFB
o Gather industry feedback and comments
o To socialize policies, regulations etc.
Ministries
o Responsible for the implementation and management of projects and e-services
ITPSS (IT Protective Security Services Sdn Bhd) o Exclusive security services provider for the E-Government
AITI (Authority for Info-communications Technology Industry)
o Infocommunications regulator
o Development of ICT industry in Brunei Darussalam
2.2. PKI Hierarchy in Brunei
MOF (Ministry of Finance) o MOF is Controller of Certification Authorities defined by Electronic Transactions Act.
o MOF may make regulations for detail guidelines the regulation and licensing of
certification authorities
EGNC (E-Government National Centre)
o EGNC is government CA for secure email and web server certificate for public
servant and government organization.
o EGNC PKI system operated by EGNC datacenter and Backup.
o EGNC has Root CA system which issues CA certificate for EGNC government CA.
o The numbers of RA are 5 and EGNC.
47
PKI ENHANCEMENT CONSULTING
(Figure 18) PKI Scheme in Brunei
2.3. Legal Framework of PKI in Brunei
(Figure 19) PKI legal Framework in Brunei
Brunei only has Electronic Transaction Act which is very similar with Singaporean Act.
Korea PKI consultants had proposed that the legal framework of PKI in Brunei will follow
Singaporean legal structure (ETA - ETR - Guidelines).
48
PKI ENHANCEMENT CONSULTING
2.4. PKI application in Brunei TAFIS (Treasury Accounting and Financial Information System)
o TAFIS will apply certificate based login process instead of ID/Password in order to
increase security and authentication.
o The Government CA in EGNC will issue certificates for TAFIS users using HSM.
o Promoting to improve the public reliability through development of e-government
services which are possible on the internet by digitally signing
(Figure 20) PKI based login in TAFIS System
49
PKI ENHANCEMENT CONSULTING
3. The State of Kenya PKI
3.1. E-Government Institutional Structure
Cabinet Committee o the top of the structure and comprises of ; Minister of state for Provincial
Administration and National Security (Chair), Minister for Finance, Minister for
Information & communications, and Minister for Education Science & Technology. It
oversaw the implementation of the e-Government strategy
(Figure 21) e-Government Institutional Structure in Kenya
Permanent Secretaries Committee o It is consisted of Permanent Secretaries and Accounting Officers.
o Implementing of selected e-Government initiatives by providing ownership
o Institutional support
National Communication Secretariat (NCS)
o Formulate info-communication policies and recommendations
o Carry out telecommunications and postal policy, research and analysis
o Conduct continuous review of all phases of development in info-communications
o Assist in the preparation of country position papers for all international meetings
o Update sector policy statements, sessional papers and legislations pertaining to info
communications
50
PKI ENHANCEMENT CONSULTING
3.2. PKI Hierarchy
Ministry of Information and Communications
o Developing ICT policy including information policy, communication policy, film
development policy
o Coordinating the dissemination of public information and the development of national
communications capacity
Communications and Commission of Kenya(CCK)
o Regulatory authority for the communications sector in Kenya
o Facilitating the development of the information and communications sectors
(including broadcasting, multimedia, telecommunications and postal services) and
electronic commerce, and the management of the country’s radiofrequency spectrum.
Kenya ICT Board
o Positioning and promoting Kenya as an ICT destination (locally and internationally)
o Promoting Business Process Outsourcing (BPO) and Offshoring;
o Advising the government on all relevant matters pertaining to the development and
promotion of ICT industries in the country
o Providing government and other stakeholders with skills, capacity and funding for
anchor implementation of ICT projects for development
o Coordinating, directing and implementing anchor ICT projects within Government
(Figure 22) PKI Scheme in Kenya
3.3. Legal Framwork
The highest legislation pertaining to PKI in Kenya is “Kenya Information and Communications Act of
1998 CAP 411A”(hereinafter KICA) and, under KICA, “ELECTRONIC CERTIFICATION AND
DOMAIN NAME ADMINISTRATION REGULATION 2010” describes in more details.
51
PKI ENHANCEMENT CONSULTING
(Figure 23) PKI legal Framework in Kenya
CCK (Communication Commission of Kenya), who will be taking a role of Root Certificate Authority
in Kenya National Public Key Infrastructure, defines license framework for Certificate Service
Provider (CSP’s) or Certificate Authority that issues certificates through “Technical rollout
requirements for Certification Service Provider.”
The legislative framework for national PKI is depicted as below.
<Table 24> Legislative Framework
3.4. PKI application
Kenya Revenue Authority (KRA) has come up with a new online system, iTax, meant to improve the
existing Integrated Tax Management System (ITMS). iTax is an integrated, web enabled and secure
application that provides an automated solution for administration of domestic taxes. The system is
aimed at improving compliance and reduces cases of tax evasion. Kenya Revenue Authority (KRA)
has a plan to apply certificate based login process instead of ID/Password in order to increase security
and authentication in near future.
Development of Pilot Application Integration o The Government CA will issue certificates for KRA users.
o Promoting to improve the public reliability through development of e-government
services which are possible on the internet by digitally signing
o Collecting requirements for applying PKI to e-government services and related
development
Category Contents
LAW Kenya Information and Communication Act Chapter 114A
Regulation
Kenya Information and Communication Act
(ELECTRONIC CERTIFICATION AND DOMAIN NAME
ADMINISTRATION) REGULATION 2010
Policy and License
Framework
Technical Rollout Requirements for Certification Service
Providers(CSP’s)
52
PKI ENHANCEMENT CONSULTING
4. The State of Cameroon PKI
4.1. PKI Hierarchy
Ministry of Communication and Information(MINPOSTEL)
o contributing to the development of infrastructure and network access to new
information and communication technologies
o Supervising public enterprises operating information and communication technologies
sector
o Formulates PKI-relevant policies
o Derives cooperation from relevant agencies
National Agency for Information and Communication Technologies (ANTIC)
o Promotion and monitoring of public policy on Information Technology and
Communication (ICT)
o Developing and monitoring the implementation of the national strategy for ICT
development;
o Developing policies and procedures for registration of ICT environment
o PKI Center Operation
o Provides administrative and technical supports for Government RA and Accredited
CA
(Figure 24) PKI Scheme in Cameroon
53
PKI ENHANCEMENT CONSULTING
4.2. Legal Framework In December, 2010, the President of the Republic enacted the Law on Electronic Commerce including
part of electronic signatures.
4.3. PKI application ANTIC is considering issue certificate to bank clerks of Cameroon Postal Services (CAMPOST ).
CAMPOST will enhance the security of e-POST with PKI (strong authentication, digital signature,
data encryption).“current-account” and “money-transfer” of E-POST will be secured with PKI as a
pilot application
The figure below shows concept of e-Post with PKI.
(Figure 25) e-Post in Cameroon
Bank user requests a certificate to teller (RA administrator) in face to face.
Teller registers user information to CA. and gets an issuance code number for certificate.
Bank user is issued a certificate to their laptop by issuance code number.
Bank user access to E-Post System by certificate based login.
E-Post System verify certificate of bank user. If valid, E-Post system offers a banking service.
54
PKI ENHANCEMENT CONSULTING
5. The State of Germany PKI
5.1. PKI Hierarchy in Germany
(Figure 26) PKI hierarchy in Germany
Two Root CAs were established to provide certification service for private and public sector
Accredited CAs issue digital certificates to citizens, private companies and servers (G2C, G2B,
B2B)
Government CAs issue digital certificates to public officials (G2G)
5.2. Legal Framework of PKI in Germany
(Figure 27) PKI legal Framework in Germany
Digital Signature Act (SigG) is in effect from May 2001, and the first time amendment SigG*
entered into force in January 2005.
SigG* states the Federal Network Agency as the supervisory/ accreditation body for CAs and
Root CA.
BSI (Federal Office for Information Security) is the root CA for the public sector, verification,
and confirmation agency.
55
PKI ENHANCEMENT CONSULTING
5.3. PKI application in Germany A SSL Certificate costs from USD 7 for an individual, and about USD 150 for a corporate
Certification service providers are allowed to use data for the purpose of identification of an
applicant that they already have collected at an earlier point in time, if the applicant agrees to
this simplified identification procedure. CSP also can use applicant identification data from
third parties or they can shift the task of applicant identification to another company, which is
aimed at promoting the use of qualified certificate in banking.
5.4. PKI Policy Accounting
o Principles of data access and the verifiability of digital documentation (GDPdU), in a
letter from the Federal Ministry of Finance dated 16th July, 2001, contains rulings on
the retention of digital documentation and the obligations of cooperation of taxpayers
for company audit.
o The GDPdU stipulations include the retention of invoice stating the invoice must bear
a certified electronic signature.
E-Government
o E-Government Act (’13.8) came into effect and main provisions are
Obligation for the opening of an electronic channel and for the opening of a e-
mail access;
Principles of electronic filing and scanning of the replacing;
Relief in the provision of electronic evidence and electronic payment in
administrative procedures;
Fulfillment of obligations by electronic publication and promulgation of
official leaves;
Obligation to document and analysis processes
Regulation for the supply of machine-readable data files by the administration
Electronic Identity Card
o Germany is using eID from 2010
o eID is used for authentication, and signing on e-documents with digital signature
56
PKI ENHANCEMENT CONSULTING
6. Regulation (EU) No 910/2014
REGULATION (EU) No 910/2014 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL
of 23 July 2014
on electronic identification and trust services for electronic transactions in the internal market and
repealing Directive 1999/93/EC
THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION,
Having regard to the Treaty on the Functioning of the European Union, and in particular Article 114
thereof,
Having regard to the proposal from the European Commission,
After transmission of the draft legislative act to the national parliaments,
Having regard to the opinion of the European Economic and Social Committee ( 1 ),
Acting in accordance with the ordinary legislative procedure ( 2 ),
Whereas:
(1) Building trust in the online environment is key to economic and social development.
Lack of trust, in particular because of a perceived lack of legal certainty, makes
consumers, businesses and public authorities hesitate to carry out transactions
electronically and to adopt new services.
(2) This Regulation seeks to enhance trust in electronic transactions in the internal market by
providing a common foundation for secure electronic interaction between citizens,
businesses and public authorities, thereby increasing the effectiveness of public and
private online services, electronic business and electronic commerce in the Union.
(3) Directive 1999/93/EC of the European Parliament and of the Council ( 3 ), dealt with
electronic signatures without delivering a comprehensive cross-border and cross-sector
framework for secure, trustworthy and easy-to-use electronic transactions. This
Regulation enhances and expands the acquis of that Directive.
(4) The Commission communication of 26 August 2010 entitled ‘A Digital Agenda for
Europe’ identified the fragmentation of the digital market, the lack of interoperability and
the rise in cybercrime as major obstacles to the virtuous cycle of the digital economy. In
its EU Citizenship Report 2010, entitled ‘Dismantling the obstacles to EU citizens’
rights’, the Commission further highlighted the need to solve the main problems that
prevent Union citizens from enjoying the benefits of a digital single market and cross-
border digital services.
(5) In its conclusions of 4 February 2011 and of 23 October 2011, the European Council
invited the Commission to create a digital single market by 2015, to make rapid progress
in key areas of the digital economy and to promote a fully integrated digital single market
by facilitating the cross-border use of online services, with particular attention to
facilitating secure electronic identification and authentication.
(6) In its conclusions of 27 May 2011, the Council invited the Commission to contribute to
the digital single market by creating appropriate conditions for the mutual recognition of
key enablers across borders, such as electronic identification, electronic documents,
electronic signatures and electronic delivery services, and for interoperable e-government
services across the European Union.
(7) The European Parliament, in its resolution of 21 September 2010 on completing the
internal market for e-commerce ( 1 ), stressed the importance of the security of electronic
services, especially of electronic signatures, and of the need to create a public key
infrastructure at pan-European level, and called on the Commission to set up a European
validation authorities gateway to ensure the cross-border interoperability of electronic
signatures and to increase the security of transactions carried out using the internet.
57
PKI ENHANCEMENT CONSULTING
(8) Directive 2006/123/EC of the European Parliament and of the Council ( 2 ) requires
Member States to establish ‘points of single contact’ (PSCs) to ensure that all procedures
and formalities relating to access to a service activity and to the exercise thereof can be
easily completed, at a distance and by electronic means, through the appropriate PSC
with the appropriate authorities. Many online services accessible through PSCs require
electronic identification, authentication and signature.
(9) In most cases, citizens cannot use their electronic identification to authenticate
themselves in another Member State because the national electronic identification
schemes in their country are not recognised in other Member States. That electronic
barrier excludes service providers from enjoying the full benefits of the internal market.
Mutually recognised electronic identification means will facilitate cross-border provision
of numerous services in the internal market and enable businesses to operate on a cross-
border basis without facing many obstacles in interactions with public authorities.
(10) Directive 2011/24/EU of the European Parliament and of the Council ( 3 ) set up a
network of national authorities responsible for e-health. To enhance the safety and the
continuity of cross-border healthcare, the network is required to produce guidelines on
cross-border access to electronic health data and services, including by supporting
‘common identification and authentication measures to facilitate transferability of data in
cross- border healthcare’. Mutual recognition of electronic identification and
authentication is key to making cross- border healthcare for European citizens a reality.
When people travel for treatment, their medical data need to be accessible in the country
of treatment. That requires a solid, safe and trusted electronic identification framework.
(11) This Regulation should be applied in full compliance with the principles relating to
the protection of personal data provided for in Directive 95/46/EC of the European
Parliament and of the Council ( 4 ). In this respect, having regard to the principle of
mutual recognition established by this Regulation, authentication for an online service
should concern processing of only those identification data that are adequate, relevant
and not excessive to grant access to that service online. Furthermore, requirements under
Directive 95/46/EC concerning confidentiality and security of processing should be
respected by trust service providers and supervisory bodies.
(12) One of the objectives of this Regulation is to remove existing barriers to the cross-
border use of electronic identification means used in the Member States to authenticate,
for at least public services. This Regulation does not aim to intervene with regard to
electronic identity management systems and related infrastructures established in
Member States. The aim of this Regulation is to ensure that for access to cross-border
online services offered by Member States, secure electronic identification and
authentication is possible.
(13) Member States should remain free to use or to introduce means for the purposes of
electronic identification for accessing online services. They should also be able to decide
whether to involve the private sector in the provision of those means. Member States
should not be obliged to notify their electronic identification schemes to the Commission.
The choice to notify the Commission of all, some or none of the electronic identification
schemes used at national level to access at least public online services or specific services
is up to Member States.
(14) Some conditions need to be set out in this Regulation with regard to which
electronic identification means have to be recognised and how the electronic
identification schemes should be notified. Those conditions should help Member States
to build the necessary trust in each other’s electronic identification schemes and to
mutually recognise electronic identification means falling under their notified schemes.
The principle of mutual recognition should apply if the notifying Member State’s
electronic identification scheme meets the conditions of notification and the notification
was published in the Official Journal of the European Union. However, the principle of
58
PKI ENHANCEMENT CONSULTING
mutual recognition should only relate to authentication for an online service. The access
to those online services and their final delivery to the applicant should be closely linked
to the right to receive such services under the conditions set out in national legislation.
(15) The obligation to recognise electronic identification means should relate only to
those means the identity assurance level of which corresponds to the level equal to or
higher than the level required for the online service in question. In addition, that
obligation should only apply when the public sector body in question uses the assurance
level ‘substantial’ or ‘high’ in relation to accessing that service online. Member States
should remain free, in accordance with Union law, to recognise electronic identification
means having lower identity assurance levels.
(16) Assurance levels should characterise the degree of confidence in electronic
identification means in establishing the identity of a person, thus providing assurance that
the person claiming a particular identity is in fact the person to which that identity was
assigned. The assurance level depends on the degree of confidence that electronic
identification means provides in claimed or asserted identity of a person taking into
account processes (for example, identity proofing and verification, and authentication),
management activities (for example, the entity issuing electronic identification means
and the procedure to issue such means) and technical controls implemented. Various
technical definitions and descriptions of assurance levels exist as the result of Union-
funded Large-Scale Pilots, standardisation and international activities. In particular, the
Large-Scale Pilot STORK and ISO 29115 refer, inter alia, to levels 2, 3 and 4, which
should be taken into utmost account in establishing minimum technical requirements,
standards and procedures for the assurances levels low, substantial and high within the
meaning of this Regulation, while ensuring consistent application of this Regulation in
particular with regard to assurance level high related to identity proofing for issuing
qualified certificates. The requirements established should be technology-neutral. It
should be possible to achieve the necessary security requirements through different
technologies.
(17) Member States should encourage the private sector to voluntarily use electronic
identification means under a notified scheme for identification purposes when needed for
online services or electronic transactions. The possibility to use such electronic
identification means would enable the private sector to rely on electronic identification
and authentication already largely used in many Member States at least for public
services and to make it easier for businesses and citizens to access their online services
across borders. In order to facilitate the use of such electronic identification means across
borders by the private sector, the authentication possibility provided by any Member
State should be available to private sector relying parties established outside of the
territory of that Member State under the same conditions as applied to private sector
relying parties established within that Member State. Consequently, with regard to
private sector relying parties, the notifying Member State may define terms of access to
the authentication means. Such terms of access may inform whether the authentication
means related to the notified scheme is presently available to private sector relying
parties.
(18) This Regulation should provide for the liability of the notifying Member State, the
party issuing the electronic identification means and the party operating the
authentication procedure for failure to comply with the relevant obligations under this
Regulation. However, this Regulation should be applied in accordance with national rules
on liability. Therefore, it does not affect those national rules on, for example, definition
of damages or relevant applicable procedural rules, including the burden of proof.
(19) The security of electronic identification schemes is key to trustworthy cross-border
mutual recognition of electronic identification means. In this context, Member States
59
PKI ENHANCEMENT CONSULTING
should cooperate with regard to the security and interoperability of the electronic
identification schemes at Union level. Whenever electronic identification schemes
require specific hardware or software to be used by relying parties at the national level,
cross-border interoperability calls for those Member States not to impose such
requirements and related costs on relying parties established outside of their territory. In
that case appropriate solutions should be discussed and developed within the scope of the
interoperability framework. Nevertheless technical requirements stemming from the
inherent specifications of national electronic identification means and likely to affect the
holders of such electronic means (e.g. smartcards), are unavoidable.
(20) Cooperation by Member States should facilitate the technical interoperability of the
notified electronic identification schemes with a view to fostering a high level of trust
and security appropriate to the degree of risk. The exchange of information and the
sharing of best practices between Member States with a view to their mutual recognition
should help such cooperation.
(21) This Regulation should also establish a general legal framework for the use of trust
services. However, it should not create a general obligation to use them or to install an
access point for all existing trust services. In particular, it should not cover the provision
of services used exclusively within closed systems between a defined set of participants,
which have no effect on third parties. For example, systems set up in businesses or public
administrations to manage internal procedures making use of trust services should not be
subject to the requirements of this Regulation. Only trust services provided to the public
having effects on third parties should meet the requirements laid down in the Regulation.
Neither should this Regulation cover aspects related to the conclusion and validity of
contracts or other legal obligations where there are requirements as regards form laid
down by national or Union law. In addition, it should not affect national form
requirements pertaining to public registers, in particular commercial and land registers.
(22) In order to contribute to their general cross-border use, it should be possible to use
trust services as evidence in legal proceedings in all Member States. It is for the national
law to define the legal effect of trust services, except if otherwise provided in this
Regulation.
(23) To the extent that this Regulation creates an obligation to recognise a trust service,
such a trust service may only be rejected if the addressee of the obligation is unable to
read or verify it due to technical reasons lying outside the immediate control of the
addressee. However, that obligation should not in itself require a public body to obtain
the hardware and software necessary for the technical readability of all existing trust
services.
(24) Member States may maintain or introduce national provisions, in conformity with
Union law, relating to trust services as far as those services are not fully harmonised by
this Regulation. However, trust services that comply with this Regulation should
circulate freely in the internal market.
(25) Member States should remain free to define other types of trust services in addition
to those making part of the closed list of trust services provided for in this Regulation, for
the purpose of recognition at national level as qualified trust services.
(26) Because of the pace of technological change, this Regulation should adopt an
approach which is open to innovation.
(27) This Regulation should be technology-neutral. The legal effects it grants should be
achievable by any technical means provided that the requirements of this Regulation are
met.
(28) To enhance in particular the trust of small and medium-sized enterprises (SMEs)
and consumers in the internal market and to promote the use of trust services and
products, the notions of qualified trust services and qualified trust service provider should
60
PKI ENHANCEMENT CONSULTING
be introduced with a view to indicating requirements and obligations that ensure high-
level security of whatever qualified trust services and products are used or provided.
(29) In line with the obligations under the United Nations Convention on the Rights of
Persons with Disabilities, approved by Council Decision 2010/48/EC ( 1 ), in particular
Article 9 of the Convention, persons with disabilities should be able to use trust services
and end-user products used in the provision of those services on an equal basis with other
consumers. Therefore, where feasible, trust services provided and end-user products used
in the provision of those services should be made accessible for persons with disabilities.
The feasibility assessment should include, inter alia, technical and economic
considerations.
(30) Member States should designate a supervisory body or supervisory bodies to carry
out the supervisory activities under this Regulation. Member States should also be able to
decide, upon a mutual agreement with another Member State, to designate a supervisory
body in the territory of that other Member State.
(31) Supervisory bodies should cooperate with data protection authorities, for example,
by informing them about the results of audits of qualified trust service providers, where
personal data protection rules appear to have been breached. The provision of
information should in particular cover security incidents and personal data breaches.
(32) It should be incumbent on all trust service providers to apply good security practice
appropriate to the risks related to their activities so as to boost users’ trust in the single
market.
(33) Provisions on the use of pseudonyms in certificates should not prevent Member
States from requiring identification of persons pursuant to Union or national law.
(34) All Member States should follow common essential supervision requirements to
ensure a comparable security level of qualified trust services. To ease the consistent
application of those requirements across the Union, Member States should adopt
comparable procedures and should exchange information on their supervision activities
and best practices in the field.
(35) All trust service providers should be subject to the requirements of this Regulation,
in particular those on security and liability to ensure due diligence, transparency and
accountability of their operations and services. However, taking into account the type of
services provided by trust service providers, it is appropriate to distinguish as far as those
requirements are concerned between qualified and non-qualified trust service providers.
(36) Establishing a supervisory regime for all trust service providers should ensure a
level playing field for the security and accountability of their operations and services,
thus contributing to the protection of users and to the functioning of the internal market.
Non-qualified trust service providers should be subject to a light touch and reactive ex
post supervisory activities justified by the nature of their services and operations. The
supervisory body should therefore have no general obligation to supervise non-qualified
service providers. The supervisory body should only take action when it is informed (for
example, by the non-qualified trust service provider itself, by another supervisory body,
by a notification from a user or a business partner or on the basis of its own investigation)
that a non-qualified trust service provider does not comply with the requirements of this
Regulation.
(37) This Regulation should provide for the liability of all trust service providers. In
particular, it establishes the liability regime under which all trust service providers should
be liable for damage caused to any natural or legal person due to failure to comply with
the obligations under this Regulation. In order to facilitate the assessment of financial
risk that trust service providers might have to bear or that they should cover by insurance
policies, this Regulation allows trust service providers to set limitations, under certain
conditions, on the use of the services they provide and not to be liable for damages
61
PKI ENHANCEMENT CONSULTING
arising from the use of services exceeding such limitations. Customers should be duly
informed about the limitations in advance. Those limitations should be recognisable by a
third party, for example by including information about the limitations in the terms and
conditions of the service provided or through other recognisable means. For the purposes
of giving effect to those principles, this Regulation should be applied in accordance with
national rules on liability. Therefore, this Regulation does not affect those national rules
on, for example, definition of damages, intention, negligence, or relevant applicable
procedural rules.
(38) Notification of security breaches and security risk assessments is essential with a
view to providing adequate information to concerned parties in the event of a breach of
security or loss of integrity.
(39) To enable the Commission and the Member States to assess the effectiveness of the
breach notification mechanism introduced by this Regulation, supervisory bodies should
be requested to provide summary information to the Commission and to European Union
Agency for Network and Information Security (ENISA).
(40) To enable the Commission and the Member States to assess the effectiveness of the
enhanced supervision mechanism introduced by this Regulation, supervisory bodies
should be requested to report on their activities. This would be instrumental in facilitating
the exchange of good practice between supervisory bodies and would ensure the
verification of the consistent and efficient implementation of the essential supervision
requirements in all Member States.
(41) To ensure sustainability and durability of qualified trust services and to boost users’
confidence in the continuity of qualified trust services, supervisory bodies should verify
the existence and the correct application of provisions on termination plans in cases
where qualified trust service providers cease their activities.
(42) To facilitate the supervision of qualified trust service providers, for example, when a
provider is providing its services in the territory of another Member State and is not
subject to supervision there, or when the computers of a provider are located in the
territory of a Member State other than the one where it is established, a mutual assistance
system between supervisory bodies in the Member States should be established.
(43) In order to ensure the compliance of qualified trust service providers and the
services they provide with the requirements set out in this Regulation, a conformity
assessment should be carried out by a conformity assessment body and the resulting
conformity assessment reports should be submitted by the qualified trust service
providers to the supervisory body. Whenever the supervisory body requires a qualified
trust service provider to submit an ad hoc conformity assessment report, the supervisory
body should respect, in particular, the principles of good administration, including the
obligation to give reasons for its decisions, as well as the principle of proportionality.
Therefore, the supervisory body should duly justify its decision to require an ad hoc
conformity assessment.
(44) This Regulation aims to ensure a coherent framework with a view to providing a
high level of security and legal certainty of trust services. In this regard, when addressing
the conformity assessment of products and services, the Commission should, where
appropriate, seek synergies with existing relevant European and international schemes
such as the Regulation (EC) No 765/2008 of the European Parliament and of the Council
( 1 ) which sets out the requirements for accreditation of conformity assessment bodies
and market surveillance of products.
(45) In order to allow an efficient initiation process, which should lead to the inclusion of
qualified trust service providers and the qualified trust services they provide into trusted
lists, preliminary interactions between prospective qualified trust service providers and
62
PKI ENHANCEMENT CONSULTING
the competent supervisory body should be encouraged with a view to facilitating the due
diligence leading to the provisioning of qualified trust services.
(46) Trusted lists are essential elements in the building of trust among market operators
as they indicate the qualified status of the service provider at the time of supervision.
(47) Confidence in and convenience of online services are essential for users to fully
benefit and consciously rely on electronic services. To this end, an EU trust mark should
be created to identify the qualified trust services provided by qualified trust service
providers. Such an EU trust mark for qualified trust services would clearly differentiate
qualified trust services from other trust services thus contributing to transparency in the
market. The use of an EU trust mark by qualified trust service providers should be
voluntary and should not lead to any requirement other than those provided for in this
Regulation.
(48) While a high level of security is needed to ensure mutual recognition of electronic
signatures, in specific cases, such as in the context of Commission Decision 2009/767/EC
( 1 ), electronic signatures with a lower security assurance should also be accepted.
(49) This Regulation should establish the principle that an electronic signature should not
be denied legal effect on the grounds that it is in an electronic form or that it does not
meet the requirements of the qualified electronic signature. However, it is for national
law to define the legal effect of electronic signatures, except for the requirements
provided for in this Regulation according to which a qualified electronic signature should
have the equivalent legal effect of a handwritten signature.
(50) As competent authorities in the Member States currently use different formats of
advanced electronic signatures to sign their documents electronically, it is necessary to
ensure that at least a number of advanced electronic signature formats can be technically
supported by Member States when they receive documents signed electronically.
Similarly, when competent authorities in the Member States use advanced electronic
seals, it would be necessary to ensure that they support at least a number of advanced
electronic seal formats.
(51) It should be possible for the signatory to entrust qualified electronic signature
creation devices to the care of a third party, provided that appropriate mechanisms and
procedures are implemented to ensure that the signatory has sole control over the use of
his electronic signature creation data, and the qualified electronic signature requirements
are met by the use of the device.
(52) The creation of remote electronic signatures, where the electronic signature creation
environment is managed by a trust service provider on behalf of the signatory, is set to
increase in the light of its multiple economic benefits. However, in order to ensure that
such electronic signatures receive the same legal recognition as electronic signatures
created in an entirely user-managed environment, remote electronic signature service
providers should apply specific management and administrative security procedures and
use trustworthy systems and products, including secure electronic communication
channels, in order to guarantee that the electronic signature creation environment is
reliable and is used under the sole control of the signatory. Where a qualified electronic
signature has been created using a remote electronic signature creation device, the
requirements applicable to qualified trust service providers set out in this Regulation
should apply.
(53) The suspension of qualified certificates is an established operational practice of trust
service providers in a number of Member States, which is different from revocation and
entails the temporary loss of validity of a certificate. Legal certainty calls for the
suspension status of a certificate to always be clearly indicated. To that end, trust service
providers should have the responsibility to clearly indicate the status of the certificate and,
if suspended, the precise period of time during which the certificate has been suspended.
63
PKI ENHANCEMENT CONSULTING
This Regulation should not impose the use of suspension on trust service providers or
Member States, but should provide for transparency rules when and where such a
practice is available.
(54) Cross-border interoperability and recognition of qualified certificates is a
precondition for cross-border recognition of qualified electronic signatures. Therefore,
qualified certificates should not be subject to any mandatory requirements exceeding the
requirements laid down in this Regulation. However, at national level, the inclusion of
specific attributes, such as unique identifiers, in qualified certificates should be allowed,
provided that such specific attributes do not hamper cross-border interoperability and
recognition of qualified certificates and electronic signatures.
(55) IT security certification based on international standards such as ISO 15408 and
related evaluation methods and mutual recognition arrangements is an important tool for
verifying the security of qualified electronic signature creation devices and should be
promoted. However, innovative solutions and services such as mobile signing and cloud
signing rely on technical and organisational solutions for qualified electronic signature
creation devices for which security standards may not yet be available or for which the
first IT security certification is ongoing. The level of security of such qualified electronic
signature creation devices could be evaluated by using alternative processes only where
such security standards are not available or where the first IT security certification is
ongoing. Those processes should be comparable to the standards for IT security
certification insofar as their security levels are equivalent. Those processes could be
facilitated by a peer review.
(56) This Regulation should lay down requirements for qualified electronic signature
creation devices to ensure the functionality of advanced electronic signatures. This
Regulation should not cover the entire system environment in which such devices operate.
Therefore, the scope of the certification of qualified signature creation devices should be
limited to the hardware and system software used to manage and protect the signature
creation data created, stored or processed in the signature creation device. As detailed in
relevant standards, the scope of the certification obligation should exclude signature
creation applications.
(57) To ensure legal certainty as regards the validity of the signature, it is essential to
specify the components of a qualified electronic signature, which should be assessed by
the relying party carrying out the validation. Moreover, specifying the requirements for
qualified trust service providers that can provide a qualified validation service to relying
parties unwilling or unable to carry out the validation of qualified electronic signatures
themselves, should stimulate the private and public sector to invest in such services. Both
elements should make qualified electronic signature validation easy and convenient for
all parties at Union level.
(58) When a transaction requires a qualified electronic seal from a legal person, a
qualified electronic signature from the authorised representative of the legal person
should be equally acceptable.
(59) Electronic seals should serve as evidence that an electronic document was issued by
a legal person, ensuring certainty of the document’s origin and integrity.
(60) Trust service providers issuing qualified certificates for electronic seals should
implement the necessary measures in order to be able to establish the identity of the
natural person representing the legal person to whom the qualified certificate for the
electronic seal is provided, when such identification is necessary at national level in the
context of judicial or administrative proceedings.
(61) This Regulation should ensure the long-term preservation of information, in order to
ensure the legal validity of electronic signatures and electronic seals over extended
64
PKI ENHANCEMENT CONSULTING
periods of time and guarantee that they can be validated irrespective of future
technological changes.
(62) In order to ensure the security of qualified electronic time stamps, this Regulation
should require the use of an advanced electronic seal or an advanced electronic signature
or of other equivalent methods. It is foreseeable that innovation may lead to new
technologies that may ensure an equivalent level of security for time stamps. Whenever a
method other than an advanced electronic seal or an advanced electronic signature is used,
it should be up to the qualified trust service provider to demonstrate, in the conformity
assessment report, that such a method ensures an equivalent level of security and
complies with the obligations set out in this Regulation.
(63) Electronic documents are important for further development of cross-border
electronic transactions in the internal market. This Regulation should establish the
principle that an electronic document should not be denied legal effect on the grounds
that it is in an electronic form in order to ensure that an electronic transaction will not be
rejected only on the grounds that a document is in electronic form.
(64) When addressing formats of advanced electronic signatures and seals, the
Commission should build on existing practices, standards and legislation, in particular
Commission Decision 2011/130/EU ( 1 ).
(65) In addition to authenticating the document issued by the legal person, electronic
seals can be used to authenticate any digital asset of the legal person, such as software
code or servers.
(66) It is essential to provide for a legal framework to facilitate cross-border recognition
between existing national legal systems related to electronic registered delivery services.
That framework could also open new market opportunities for Union trust service
providers to offer new pan-European electronic registered delivery services.
(67) Website authentication services provide a means by which a visitor to a website can
be assured that there is a genuine and legitimate entity standing behind the website.
Those services contribute to the building of trust and confidence in conducting business
online, as users will have confidence in a website that has been authenticated. The
provision and the use of website authentication services are entirely voluntary. However,
in order for website authentication to become a means to boosting trust, providing a
better experience for the user and furthering growth in the internal market, this
Regulation should lay down minimal security and liability obligations for the providers
and their services. To that end, the results of existing industry-led initiatives, for example
the Certification Authorities/Browsers Forum — CA/B Forum, have been taken into
account. In addition, this Regulation should not impede the use of other means or
methods to authenticate a website not falling under this Regulation nor should it prevent
third country providers of website authentication services from providing their services to
customers in the Union. However, a third country provider should only have its website
authentication services recognised as qualified in accordance with this Regulation, if an
international agreement between the Union and the country of establishment of the
provider has been concluded.
(68) The concept of ‘legal persons’, according to the provisions of the Treaty on the
Functioning of the European Union (TFEU) on establishment, leaves operators free to
choose the legal form which they deem suitable for carrying out their activity.
Accordingly, ‘legal persons’, within the meaning of the TFEU, means all entities
constituted under, or governed by, the law of a Member State, irrespective of their legal
form.
(69) The Union institutions, bodies, offices and agencies are encouraged to recognise
electronic identification and trust services covered by this Regulation for the purpose of
administrative cooperation capitalising, in particular, on existing good practices and the
results of ongoing projects in the areas covered by this Regulation.
65
PKI ENHANCEMENT CONSULTING
(70) In order to complement certain detailed technical aspects of this Regulation in a
flexible and rapid manner, the power to adopt acts in accordance with Article 290 TFEU
should be delegated to the Commission in respect of criteria to be met by the bodies
responsible for the certification of qualified electronic signature creation devices. It is of
particular importance that the Commission carry out appropriate consultations during its
preparatory work, including at expert level. The Commission, when preparing and
drawing up delegated acts, should ensure a simultaneous, timely and appropriate
transmission of relevant documents to the European Parliament and to the Council.
(71) In order to ensure uniform conditions for the implementation of this Regulation,
implementing powers should be conferred on the Commission, in particular for
specifying reference numbers of standards the use of which would raise a presumption of
compliance with certain requirements laid down in this Regulation. Those powers should
be exercised in accordance with Regulation (EU) No 182/2011 of the European
Parliament and of the Council ( 1 ).
(72) When adopting delegated or implementing acts, the Commission should take due
account of the standards and technical specifications drawn up by European and
international standardisation organisations and bodies, in particular the European
Committee for Standardisation (CEN), the European Telecommunications Standards
Institute (ETSI), the International Organisation for Standardisation (ISO) and the
International Telecommunication Union (ITU), with a view to ensuring a high level of
security and interoperability of electronic identification and trust services.
(73) For reasons of legal certainty and clarity, Directive 1999/93/EC should be repealed.
(74) To ensure legal certainty for market operators already using qualified certificates
issued to natural persons in compliance with Directive 1999/93/EC, it is necessary to
provide for a sufficient period of time for transitional purposes. Similarly, transitional
measures should be established for secure signature creation devices, the conformity of
which has been determined in accordance with Directive 1999/93/EC, as well as for
certification service providers issuing qualified certificates before 1 July 2016. Finally, it
is also necessary to provide the Commission with the means to adopt the implementing
acts and delegated acts before that date.
(75) The application dates set out in this Regulation do not affect existing obligations
that Member States already have under Union law, in particular under Directive
2006/123/EC.
(76) Since the objectives of this Regulation cannot be sufficiently achieved by the
Member States but can rather, by reason of the scale of the action, be better achieved at
Union level, the Union may adopt measures, in accordance with the principle of
subsidiarity as set out in Article 5 of the Treaty on European Union. In accordance with
the principle of proportionality, as set out in that Article, this Regulation does not go
beyond what is necessary in order to achieve those objectives.
(77) The European Data Protection Supervisor was consulted in accordance with Article
28(2) of Regulation (EC) No 45/2001 of the European Parliament and of the Council ( 2 )
and delivered an opinion on 27 September 2012 ( 3 ),
66
PKI ENHANCEMENT CONSULTING
References
[x500] ITU-T Recommendation X.500 – Information technology – Open Systems Interconnection
– The Directory: Overview of concepts, models and services, 2001
[x501] ITU-T Recommendation X.501 – Information technology – Open Systems Interconnection
– The Directory: Models, 2001
[x509] ITU-T Recommendation X.509 – Information technology –Open Systems Interconnection
– The Directory: Authentication Framework, 1997
[x520] ITU-T Recommendation X.520 – Information technology – Open Systems Interconnection
– The Directory: Selected attribute types, 2001
[x521] ITU-T Recommendation X.521 – Information technology – Open Systems Interconnection
– The Directory: Selected object classes, 2001
[x690] ITU-T Recommendation X.690 – Information technology – ASN.1 encoding rules:
Specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and
Distinguished Encoding Rules (DER), 1998
[2251] Lightweight Directory Access Protocol (v3) Internet Request For Comments 2251
December 1997
[2252] Lightweight Directory Access Protocol (v3): Attribute Syntax Definitions. Internet Request
For Comments 2252 December 1997
[2253] Lightweight Directory Access Protocol (v3): UTF-8 String Representation of Distinguished
Names Internet Request For Comments 2253 December 1997
[2254] The String Representation of LDAP Internet Request For Comments 2254 December 1997
[2255] The LDAP URL Format Internet Request For Comments 2255 December 1997
[2256] A Summary of the X.500 (96) User Schema for use with LDAPv3 Internet Request For
Comments 2256 December 1997
[2279] UTF-8, a transformation format of ISO 10646 Internet Request For Comments 2279
January 1998
[2396] Uniform Resource Identifiers (URI): Generic Syntax Internet Request For Comments 2396
August 1998
[2459] Internet X.509 Public Key Infrastructure Certificate and CRL Profile Internet Request For
Comments 2459 January 1999
[2559] Internet X.509 Public Key Infrastructure Operational Protocols - LDAPv2 Internet Request
For Comments 2559 April 1999
[2560] X.509 Internet Public Key Infrastructure Online Certificate Status Protocol – OCSP
Schema Internet Request For Comments 2560 June 1999.
[2587] Internet X.509 Public Key Infrastructure LDAPv2 Schema Internet Request For Comments
2587 June 1999
[3280] Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL)
Profile Internet Request For Comments 3280 April 2002
[p10] PKCS 10: Certification Request Syntax Version 1.0, 1993
[p12] PKCS 12 v1.0: Personal Information Exchange Syntax, 1999
[RD1] Interoperability sub-project, final report, minimum standards and profiles for
interoperability, ref. 3AT 05025 AAAA DTZZA, version 3, dated 12 November 2001
67
PKI ENHANCEMENT CONSULTING
Glossary
ARL Authority Revocation List
ASN.1 Abstract Syntax Notation One
B2B Business to Business
BCA Bridge Certification Authority
BER Basic Encoding Rules
CA Certification Authority
CRL Certificate Revocation List
CC Cross Certification
CP Certificate Policy
CPS Certificate Practice Statement
CSP Certification Service Provider
CTL Certificates Trust List
DAP Directory Access Protocol
DER Distinguished Encoding Rules
DIT Directory Information Tree
DN Distinguished Name
EE End entity
LDAP Lightweight Directory Access Protocol
MS Member state
OCSP Online Certificate Status Protocol
OID Object Identifier
PKCS Public Key Cryptography Standard
PKI Public Key Infrastructure
RDN Relative Distinguished Name
RA Registration Authority
SCA Subordinate CA
VA Validation Authority
Mr. Jong Min, Choi,
Managing Director,
Korea Information Certificate Authority (KICA) Republic of Korea
Mr. Seung Ho, Ryu
Manager,
Korea Information Certificate Authority (KICA) Republic of Korea
Recommended