Mapping EU eIDAS and US FICAM: An exercise in global

harmonization

Mapping EU eIDAS and US FICAM: An exercise in global

harmonization

Peter Alterman, Ph.D.

Chief Operating Officer, SAFE-BioPharma Association

1

Agenda

Global harmonization: needs and goals

Overview comparison of eIDAS regulation and FICAM Trust Framework Solutions, v2.0

Overview comparison of SAFE-BioPharma Bridge CA policy and ETSI (in process) EN 319 411-1 et. seq.

Summary and Conclusions

2 SAFE-BioPharma Association

Global Harmonization: Needs and Goals

Needs: businesses are increasingly global in nature; the life sciences sector clearly in such a mode

3 SAFE-BioPharma Association

Paper to Digital; In-house to Collaboration

Needs: businesses are increasingly converting paper processes to digital; businesses are increasingly collaborating online

4 SAFE-BioPharma Association

Online is Dangerous

Needs: businesses are at increasing risk of harm online and require increased security and trust services

5 SAFE-BioPharma Association

Common Rules Enable Business

Needs: common “rules of the road” that enable transactions, rather than separate business rules within each border

6 SAFE-BioPharma Association

Goals

Resolve comparability variances in QCP and SBCA policies to enable SAFE-BioPharma Bridge CA to cross-certify any candidate CA that is recognized under the Qualified Certificate program using the policy mapping presented.

Formal recognition of the comparability of TSPs under eIDAS and CSPs (and components) under FICAM TFS to further global e-commerce.

7 SAFE-BioPharma Association

eIDAS and FICAM TFS: Common Vision*

8 SAFE-BioPharma Association

Purpose Components of Assurance Levels Architectural Basis

This Regulation seeks to enhance trust in electronic transactions in the internal market by providing a common foundation for secure electronic interaction between citizens, businesses and public authorities, thereby increasing the effectiveness of public and private online services, electronic business and electronic commerce in the Union.

Assurance levels should characterise the degree of confidence in electronic identification means in establishing the identity of a person, thus providing assurance that the person claiming a particular identity is in fact the person to which that identity was assigned. The assurance level depends on the degree of confidence that electronic identification means provides in claimed or asserted identity of a person taking into account processes (for example, identity proofing and verification, and authentication), management activities (for example, the entity issuing electronic identification means and the procedure to issue such means) and technical controls implemented.

risk-risk mitigation from EC, ISO, ETSI documents

The FICAM Trust Framework Solutions (TFS) is the federated identity framework for the U.S. federal government. It includes guidance, processes and supporting infrastructure to enable secure and streamlined citizen and business facing online service delivery.

The FICAM TFS TFPAP defines a process whereby the government can assess the efficacy of the Trust Frameworks for federal purposes so that an Agency online application or service can trust an electronic identity credential provided to it at a known Level of Assurance (LOA) comparable to one of the four OMB LOAs. [M-04-04]: This guidance describes four identity authentication assurance levels for e-government transactions. Each assurance level describes the agency’s degree of certainty that the user has presented an identifier (a credential in this context) that refers to his or her identity. In this context, assurance is defined as 1) the degree of confidence in the vetting process used to establish the identity of the individual to whom the credential was issued, and 2) the degree of confidence that the individual who uses the credential is the individual to whom the credential was issued

risk-risk mitigation from NIST, ISO, USG documents

*We gratefully acknowledge the work of Rich Furrin the development of these analyses.

eIDAS-FICAM & FPKI LOA Mapping: Aligned 1

9 SAFE-BioPharma Association

Assurance 

Levels

eIDAS FICAM ETSI QCP SBCA CP

1

X LOA 1: Little or no confidence exists in the asserted identity. 

X

2

assurance level low shall refer to an electronic identification means in the context of an electronic identification scheme, which provides a limited degree of confidence in the claimed or asserted identity of a person, and is characterised with reference to technical specifications, standards and procedures related thereto, including technical controls, the purpose of which is to decrease the risk of misuse or alteration of the identity;

LOA 2: Some confidence in the asserted identity’s validity.

Lightweight Certificate Profile (LCP): The subject can be: a) a natural person, b) a natural person identified in association with a legal person, c) a legal person (that can be an Organization or a unit or a department identified in association with an Organization), or, d) a device or system operated by or on behalf of a natural or legal person.

Federal Bridge Rudimentary (NIST LOA 2)

Full spreadsheet available at http://www.safe-biopharma.org/infocenter/General Background and Information

eIDAS-FICAM & FPKI LOA Mapping: Aligned 2

10 SAFE-BioPharma Association

3

assurance level substantial shall refer to an electronic identification means in the context of an electronic identification scheme, which provides a substantial degree of confidence in the claimed or asserted identity of a person, and is characterised with reference to technical specifications, standards and procedures related thereto, including technical controls, the purpose of which is to decrease substantially the risk of misuse or alteration of the identity;

LOA 3: High confidence in the asserted identity’s validity.

Normalized Certificate Profile (NCP)5/27/2015: The subject can be: a) a natural person, b) a natural person identified in association with a legal person, c) a legal person (that can be an Organization or a unit or a department identified in association with an Organization), or, d) a device or system operated by or on behalf of a natural or legal person.

Federal Bridge Basic (NIST LOA 3): Can be a human subject, a Group or a device ≠ encryp on cer ficate 

Federal Bridge Medium (NIST LOA 3): Can be a human subject, a Group or a device ≠ encryp on certificate

eIDAS-FICAM & FPKI LOA Mapping: Aligned 3

11 SAFE-BioPharma Association

4

assurance level high shall refer to an electronic identification means in the context of an electronic identification scheme, which provides a higher degree of confidence in the claimed or asserted identity of a person than electronic identification means with the assurance level substantial, and is characterised with reference to technical specifications, standards and procedures related thereto, including technical controls, the purpose of which is to prevent misuse or alteration of the identity.

LOA 4: Very high confidence in the asserted identity’s validity.

Normalized Certificate Profile requiring a secure cryptographic device (NP+): The subject can be: a) a natural person, b) a natural person identified in association with a legal person, c) a legal person (that can be an Organization or a unit or a department identified in association with an Organization), or, d) a device or system operated by or on behalf of a natural or legal person.

Federal Bridge Medium Hardware (NIST LOA 4): Can be a human subject, a Group or a device ≠ encryption certificate  

Federal Bridge High (governments only)

Summary: eIDAS and FICAM TFS

Purposes align

LOA align

Common approach to risk and trust– reduced risk = increased trust and vice versa

Few areas to align– Privacy policies and practices spreadsheet available at:

http://www.safe-biopharma.org/infocenter.htm

12 SAFE-BioPharma Association

Summary: ETSI QCP and SBCA CP

Findings (non‐comparable findings in red): 

ETSI identifies six (6) different policies.  The Lightweight Certificate Policy can equate to the US basic, the Normalized Certificate Policy equals US Medium Assurance while the Extended Normalized Certificate Policy equates to the US high assurance.  

ETSI does not refer to bridge CAs in its documentation and the ETSI model does not recognize Bridge CAs in any PKI architecture.

ETSI recognizes Registration Services but does not specifically define relying parties, RA/LRA or TAs as SAFE and US FPKI. For that reason, their documents do not address requirements for those functionaries at any point throughout 411‐1 or its referents. It does have comparable requirements for identity proofing of Natural Persons and of Legal Persons. Natural Persons = Subscribers; Legal Persons ≈ Group signing (but ETSI certs are encryption while FPKI are AuthN certs); purpose the same. 

The use of a Centralized Credential Server (CCS) is not covered in any of the ETSI documents.

SAFE prescribes appropriate certificate uses based on its user community needs.  ETSI places no restrictions on use. 

Relying Party requirements do not align. FPKI does not require RP to validate certificate; ETSI does require validation. The generalized issue is that ETSI standard places requirements on RPs while US FPKI does not do so.

13 SAFE-BioPharma Association

Full spreadsheet available at: www.safe-biopharma.org/infocenter.htm. We gratefully acknowledge the work of Gianluca Ramunno and Rich Furr.

Summary: ETSI QCP and SBCA CP

Definitions and acronyms differ but are comparable.

ETSI standard does not address AuthN certificates, however, references to DNs in 411-1 implies comparable requirements and definitions. This is another area where the ETSI standard does not address Subscriber AuthN. No conflict in policies, however, only a gap.

ETSI requires CRLs every day. SBCA publishes CRLs no less frequently than once every 31 days if the Principal CA only issues certificates to other CAs and the Principal CA is operated in an offline manner, and no less than once every 24 hours otherwise. SBCA/FBCA make distinction between Principal CAs issuing only cross-certificates to other Principal CAs; ETSI standard makes no distinction.

In the case of CA termination, 411-1 does not require revocation of issued certificates.

SBCA requires dual control for use of CA private signing key; 411-1 requires dual control for backup, storage and recovery but not for signing.

411-1 and SBCP both address appropriate use and limitations within community of trust.

Many gaps: targets for future analysis by ETSI and SBP

14 SAFE-BioPharma Association

Next Steps

Recommend forming an SBP-ETSI workgroup to continue harmonizing EU and US PKI architectures with the SBCA CP as the testbed.

Recommend formal alignment of eIDAS LOA and FICAM LOA (2-4) with standing committee to synchronize policies going forward.

15 SAFE-BioPharma Association

For Follow Up

Dr. Peter Alterman: palterman@safe-biopharma.org

Full spreadsheets upon which analyses are based available at: http://www.safe-biopharma.org/infocenter/

Once again, grateful acknowledgement of the work of Gianluca Ramunno of eWitness and Rich Furr for SAFE-BioPharma.

16 SAFE-BioPharma Association