Romania-Korea IT Cooperation Program · The Report for “Romania-Korea IT Cooperation Program” has been produced by KICA under the NIA and ICI in Romania have the ownership on

IT Consulting Report:

Romania-Korea IT

Cooperation Program

Analysis of international

trend for PKI system

1

PKI ENHANCEMENT CONSULTING

2


Preface

The Report for “Romania-Korea IT Cooperation Program” has been produced by KICA under the NIA

and ICI in Romania have the ownership on the modification and revision on this report. For further

information or additional modification, please contact the KICA at following e-mail addresses;

< Project Team>

• Project Consultants

KICA

Title Name Email Tel

Project Manager Mr. SUNGGU JUNG [email protected] +82 2 360 3022

Consultant Mr. JONGMIN CHOI [email protected] +82 2 360 3200

Consultant Mr. SEUNGHO RYU [email protected] +82 2 360 3223

Consultant Mr. SANG LEE [email protected] +82 2 360 3055

<Registration Information>

• Document Name: Romania-Korea IT Cooperation Program • Document Type: Microsoft Word 2010 • Document Version: Version 1.0 • Producer: KICA • Last Modifier: SUNGHO RYU • Last Modification: 05th October, 2015

<Revision History>

No. Version Date Reason Description Modified by

1 1.0 05th October, 2015 The first

publication - SEUNGHO RYU

3


CONTENTS

I. Overview ........................................................................................................................................... 7

1. Definition ............................................................................................................................................ 8

2. Background and Objective ............................................................................................................... 8

2.1. Background ..................................................................................................................................................... 8

2.2. Objective ......................................................................................................................................................... 8

3. Scope ............................................................................................................................................ 9

4. Team and Related Organization ...................................................................................................... 9

4.1. Project Team ................................................................................................................................................... 9

4.2. Related Organization ................................................................................................................................... 10

II. AS-IS Analysis ................................................................................................................................ 11

1. ICT Environment Analysis ............................................................................................................. 13

2.1. PKI Scheme .................................................................................................................................................. 16

2.2. Legal Framework ......................................................................................................................................... 17

2.3. PKI Policy ..................................................................................................................................................... 18

2.4 PKI Status and Services ................................................................................................................................ 19

III. International trend for PKI ......................................................................................................... 24

1. The Current State of Korea PKI .................................................................................................................. 25

1.1. Overview ....................................................................................................................................................... 25

1.2. Status of Laws and Standards ..................................................................................................................... 25

1.3. PKI Model ..................................................................................................................................................... 35

2. The State of Brunei PKI ................................................................................................................................ 45

2.1. E-Government Institutional Structure ....................................................................................................... 45

2.2. PKI Hierarchy in Brunei ............................................................................................................................. 46

2.3. Legal Framework of PKI in Brunei ............................................................................................................ 47

2.4. PKI application in Brunei ........................................................................................................................... 48

3. The State of Kenya PKI ................................................................................................................................ 49

3.1. E-Government Institutional Structure ................................................................................................ 49

3.2. PKI Hierarchy ....................................................................................................................................... 50

3.3. Legal Framwork .................................................................................................................................... 50

4


3.4. PKI application ..................................................................................................................................... 51

4. The State of Cameroon PKI .......................................................................................................................... 52

4.1. PKI Hierarchy ....................................................................................................................................... 52

4.2. Legal Framework .................................................................................................................................. 53

4.3. PKI application ..................................................................................................................................... 53

5. The State of Germany PKI ........................................................................................................................... 54

5.1. PKI Hierarchy in Germany .................................................................................................................. 54

5.2. Legal Framework of PKI in Germany ................................................................................................ 54

5.3. PKI application in Germany ................................................................................................................ 55

5.4. PKI Policy .............................................................................................................................................. 55

6. Regulation (EU) No 910/2014 ....................................................................................................................... 56

5


TABLE

<Table 1 > Project Scope ................................................................................................................................................... 9 <Table 2> Related Organization List in Romania............................................................................................................ 10 <Table 3> Country Profile ............................................................................................................................................... 12 <Table 4> Penetration rates of fixed broadband internet access services at national level, respectively in urban/rural

areas: 2012 – 2014 ........................................................................................................................................................... 13 <Table 5> Legal Recognition of Digital Signature in Romania ....................................................................................... 17 <Table 6> Qualified CAs in Romania ............................................................................................................................. 19 <Table 7> Certificate Profiles in Romania ...................................................................................................................... 20 <Table 8> Major PKI enabled Government in Romania ................................................................................................. 22 <Table 9> Major Finding ................................................................................................................................................. 23 <Table 10> Scope of Benchmarking of Korea................................................................................................................. 25 <Table 11> Count of law and standards........................................................................................................................... 26 <Table 12> Differences between certificated signature and not-certified signature ........................................................ 30 <Table 13> Compensation responsibility of CA ............................................................................................................. 31 <Table 14> Contents of CPS ........................................................................................................................................... 32 <Table 15> GPKI and NPKI ........................................................................................................................................... 35 <Table 16> Type of Certificate ........................................................................................................................................ 37 <Table 17> Status of GPKI ............................................................................................................................................. 37 <Table 18> Application Process ...................................................................................................................................... 38 <Table 19> CA Audit Items ............................................................................................................................................. 42 <Table 20> Statistics on Accredited CAs ........................................................................................................................ 42 <Table 21> Statistics on RA and e-Service Provider ....................................................................................................... 43 <Table 22> Types of Certificate and Fee ......................................................................................................................... 43 <Table 23> Statistics on issued certificates ..................................................................................................................... 44 <Table 24> Legislative Framework ................................................................................................................................. 51

6


FIGURE

(Figure 1) Project Team ..................................................................................................................................................... 9 (Figure 2) Government Structure ..................................................................................................................................... 13 (Figure 3) Penetration rates of broadband internet access connections: 2012 – 2014 ...................................................... 14 (Figure 4) E-government development in the European Union (EU) Member States ..................................................... 15 (Figure 5) PKI architecture in Romania .......................................................................................................................... 16 (Figure 6) Considered PKI Scheme in Romania .............................................................................................................. 17 (Figure 7) Structure of electronic signature ..................................................................................................................... 26 (Figure 8) NPKI model in Korea ..................................................................................................................................... 30 (Figure 9) Procedure of assignment for accredited CA ................................................................................................... 31 (Figure 10) Procedure of assignment for accredited CA ................................................................................................. 35 (Figure 11) GPKI System Configuration ......................................................................................................................... 39 (Figure 12) NPKI System Organization .......................................................................................................................... 40 (Figure 13) Organization chart of KISA .......................................................................................................................... 40 (Figure 14) Accreditation Procedure................................................................................................................................ 41 (Figure 15) Procedure for regular audits .......................................................................................................................... 42 (Figure 16) Annual Issuance of Certificates .................................................................................................................... 44 (Figure 17) e-Government Institutional Structure in Brunei ............................................................................................ 45 (Figure 18) PKI Scheme in Brunei .................................................................................................................................. 47 (Figure 19) PKI legal Framework in Brunei .................................................................................................................... 47 (Figure 20) PKI based login in TAFIS System ................................................................................................................ 48 (Figure 21) e-Government Institutional Structure in Kenya ............................................................................................ 49 (Figure 22) PKI Scheme in Kenya ................................................................................................................................... 50 (Figure 23) PKI legal Framework in Kenya .................................................................................................................... 51 (Figure 24) PKI Scheme in Cameroon ............................................................................................................................ 52 (Figure 25) e-Post in Cameroon ...................................................................................................................................... 53 (Figure 26) PKI hierarchy in Germany ............................................................................................................................ 54 (Figure 27) PKI legal Framework in Germany ................................................................................................................ 54

7


I. Overview

1. Definition

2. Background and Objectives

3. Scope

4. Team and Schedule

8


1. Definition

The following are the definitions of the current Project:

Project Name: Romania-Korea IT Cooperation Project

Target Country: Romania

Organization: Institutul National de Cercetare-Dezvoltare in Informatica (ICI Bucuresti)

Period: 5 Month (2015.05.~2015.10)

2. Background and Objective

The Romania-Korea IT Cooperation Project between the NIA (National Information Society Agency)

and ICI to provide consulting to the interoperability of PKI. Hereunder, background and objectives of

this study will be explained.

2.1. Background

Accommodating demands from various government agencies, to cope with the increasing demand for

PKI interoperability, this project was conducted by a leading Korean company on behalf of its

government.

The goals of the project: to lay foundations for a PKI network, to facilitate mutual recognition between

countries, and to provide reliable and safe Internet environments.

2.2. Objective

Objectives of this project are as follows:

The preliminary feasibility study for the vitalization of efficient and stabilized certification

system will be performed.

The future vitalization measure for Romania’s national certification system and the measure

for the technology sharing with Korea will be established through the analyses of the legal

system and the local issue in Romania;

- Analysis of the current system in Romania

- Introduction of Korea’s vitalization plan for the official certification system

9


3. Scope Analysis of the international trend for PKI system. Based on the research result, the cases in Korea,

Germany and Belgium.

<Table 1 > Project Scope

Components Contents

Trend of Korea for

PKI

- Korean PKI system technology

- PKI policy, law and regulations

Trend of Germany

for PKI

- Germany PKI system scheme and technology


- PKI operation and interoperability

Trend of Belgium

for PKI

- Belgium PKI system scheme and technology


- PKI enabled service and mandatory

4. Team and Related Organization

4.1. Project Team

To facilitate cooperation, a team is organized as follows:

(Figure 1) Project Team

Romania: Mr. Bogdan Stroe

Korea: Mr. Sungu Jung

Providing Current Status

Arranging Interview

Attending Interview

Visioning Process

Examining To-Be Model

Mr. Bogdan Emil Stroe

Mr. Dragos Catalin Barbu

Mr. Paul Gheorghe

ICI

Analyzing Current Status

Conducting Interview

Visioning Process

Benchmarking

TO-BE Model

KICA

Project Manager

Advisor

Mr. Sungu Jung

Mr. Jongmin Choi

Mr. Seungho Ryu

Mr. Sang Lee

10


4.2. Related Organization

The investigation and interview on related organization have been conducted to understand the current

PKI status in Romania. The relevant organizations or institutions are as followings:

<Table 2> Related Organization List in Romania

Organization Name

CERTSIGN (www.certsign.ro)

DIGISIGN (www.digisign.ro)

Trans Sped (www.transsped.ro)

CertDigital (www.certdigital.ro)

Alphatrust (www.alphatrust.ro)

AADR (www.aadr.ro)

Tax Declaration Service(Ministry of Finance) http://www.mfinante.ro/

http://www.aadr.ro/

11


II. AS-IS Analysis

1. ICT Environment Analysis

2. Current PKI Status in Romania

12


The purpose of the Research & Analysis is to derive the direction for the PKI policy recommendation

based on the implication of each study on the ICT environment, informatization status and PKI

requirements, and the comparison with best practices (benchmarking) in other countries.

One of the main purposes of using PKI technology is to provide secure e-Government services. The

analysis on ICT sector in Romania provided an insight on the general e-Government service

environment, national and government ICT infrastructure. The analysis on the result of surveys and

interviews throughout the consulting, collected from the government officials, citizens and businesses

were to find out the needs of different parties in terms of the government offering the secure e-

Government service.

<Table 3> Country Profile

Category Descriptions

Country Name Romania (Republic)

Capital Bucharest

Divisions 81 provinces and 136 chartered cities

Location Southeastern Europe, bordering the Black Sea, between Bulgaria and

Ukraine

Area

- Total: 238,391 sq km(land: 229,891 sq km, water : 8,500 sq km)

- Border countries: Bulgaria 608 km, Hungary 443 km, Moldova 450 km,

Serbia 476 km, Ukraine (north) 362 km, Ukraine (east) 169 km

Climate

Temperate: cold, cloudy winters with frequent snow and fog; sunny

summers

with frequent showers and thunderstorms

Ethnic Group Romanian 83.4%, Hungarian 6.1%, Roman 3.1%, Ukrainian 0.3%,

German 0.2 %, other 0.7%, unspecified 6.1% (2011 est.)

Population 21,666,350 (July 2015 est.)

GDP (purchasing

power parity) $392.8 billion (2014 est.)

GDP - per capita

(PPP) $19,700 (2014 est.)

Telephones –

fixed lines 4.6 million (2014 est.)

Telephones –

mobile cellular 22.9 million (2014 est.)

Internet users 11.2 million (2014 est.)

(Source: www.cia.gov)

13


1. ICT Environment Analysis

The ICT environment analysis part consists of the general information and PEST (Policy, Economic,

Social and Technical) analysis. The implication is derived based on the analysis.

(Source: www.gov.ro)

(Figure 2) Government Structure

<Table 4> Penetration rates of fixed broadband internet access services at national level, respectively in

urban/rural areas: 2012 – 2014

Indicator Dec, 2012 Dec, 2013 Dec, 2014

Total no. of fixed broadband internet access connections (million) 3.5 3.8 4.0

Penetration rate per 100 inhabitants (%) 17.6 18.9 20.1

No. of fixed broadband internet access connections in URBAN area (million) 2.7 2.8 2.9

Urban penetration rate per 100 inhabitants (%) 24.6 26.0 27.2

No. of fixed broadband internet access connections in RURAL area (million) 0.9 1.0 1.1

Rural penetration rate per 100 inhabitants (%) 9.4 10.7 11.8

No. of fixed broadband internet access connections provided to residential

customers (million) 3.2 3.5 3.6

Penetration rate per 100 households (%) 42.8 46.2 48.8


customers in URBAN area (million) 2.4 2.5 2.6

Urban penetration rate per 100 households (%) 56.7 60.0 62.3


customers in RURAL area (million) 0.8 0.9 1.0

Rural penetration rate per 100 households (%) 25.0 28.3 31.4

14


Total no. of mobile broadband internet access connections (million) 7.1 9.6 12.0

Penetration rate per 100 inhabitants (%) 35.4 47.9 60.2

(Source: statistica.ancom.org.ro)

(Source: statistica.ancom.org.ro)

(Figure 3) Penetration rates of broadband internet access connections: 2012 – 2014

From the data demonstrating the general ICT environment and development, consulting team

understands that the ICT sector is of strategic importance for the economy, as it can function as a

stepping stone for the development of every other industry. Romania is one of the strongest markets in

Europe for investment in technology and trade, with a highly skilled workforce, competitive costs,

top-tier investors, and a business friendly environment. Romania has quite strong telecommunication

infrastructure, and ICT education system as shown with the facts: that the country is one of the first

European countries where 4G technology has been launched; Over 5,000 new graduates enter the

labor market every year; over 8,000 software and IT services companies in Romania; no need to

mention many oversea employments of Romanian ICT experts in the USA and Western Europe,

multinational companies, namely Alcatel, Siemens, Oracle, IBM or Microsoft, created large R&D

centers and headquarters in Romania to fully take advantage of the skilled ICT workforce in Romania.

Nonetheless, Romania’s e-Government service is still in developing stage and ranked relatively low in

the measured categories: the 62th place in E-Government readiness index in 2014.

15


(Source: www.unpan.org)

(Figure 4) E-government development in the European Union (EU) Member States

16


2. Current PKI Status in Romania

2.1. PKI Scheme

The Ministry for Information Society (MIS) is in charge of supervising and monitoring National PKI

in Romania by the law. Under this PKI scheme, five CAs are designated as the qualified CAs to issue

certificates for citizens and companies. Romania consists of five each CA hierarchal model, but it is not considered interoperability between qualified CAs.

(Figure 5) PKI architecture in Romania

Romania is considering Modified BCA PKI model which is the combination of the Web/Internet Trust

model and BCA model. The system will allow a user to either download the CA certificate by cross-

certification or choose the certificate trust list (CTL)

17


(Figure 6) Considered PKI Scheme in Romania

‘Bridge CA’ will provide PKI interoperability with EU member states as well as to enhance trust in

electronic transactions in the internal market. Building trust in the online environment is a key to

economic development. Lack of trust makes consumers, businesses and administrations hesitant to

carry out transactions electronically and to adopt new services. Qualified CAs will be connected to

‘Bridge CA’ providing interoperability with other country’s qualified CAs. However, Government CA

which issues certificates for public officers and government organizations does not exist yet in

Romania.

2.2. Legal Framework

National implementation of Regulation 910/2014 of the European Parliament, and of the Council of 13

December 1999 on a Community framework for electronic signatures define legal value of electronic

signature, requirements from the specialized supervisory and regulatory authority for qualified digital

certificates services providers, accreditation procedures, and other specific requirements.

<Table 5> Legal Recognition of Digital Signature in Romania

Compositions Sub-Compositions Descriptions

CHAPTER I:

General Provisions SSECTION 1: General Principles

SSECTION 2: Definitions

- defining electronic signature and extended electronic

signature

- related terms such as subscriber, qualified certificate,

and etc.

CHAPTER II:

The Legal Status

of the Documents

in Electronic Form

- the legal status of the electronic document which

incorporates an electronic signature or has an

electronic signature attached with it

CHAPTER III:

Certification

Service Provision

SSECTION 1: Common Provisions

SSECTION 2: Qualified Certification

Service Provision

SSECTION 3: Suspension and

Expiry of

Certificates Validity

- common provisions of Certification Service

Providers (CSPs)

- obligations of CSPs

- information of qualified certificates

- responsibilities of CSP to issue qualified certificates

- situations to suspend or revoke certificate validity

CHAPTER IV:

Monitoring and

Control

SSECTION 1: Supervisory and

Regulatory Authority

SSECTION 2: Supervision of

Certification Service

Providers business

SSECTION 3: Voluntary

- Ministry for Information Society as the supervisory

and regulatory authority

- CSP’s registration to the authority and their

obligations

18


Accreditation

SSECTION 4: Homologation

CHAPTER V:

Acknowledgment

of Certificates

Issued by Foreign

Certification

Services Providers

- duties and rights of supervisory and regulatory

authority supervising CSP business

- duties of the supervisory and regulatory authority to

order the CSP to cease its activity and be erased

from the registry

- homologation agencies to check compliance with

law of secure-signature-creation devices

CHAPTER VI:

Liability of

Certification

Service Providers

- legal effect of certificates issued by foreign

certification services providers

- the liability of CSPs

- A CSP is liable for damage caused to any person

CHAPTER VII:

Obligations of

Certificate Holders

- obligations of certificate holders

- situations that certificate holders shall apply for the

revocation

CHAPTER VIII:

Administrative

Violations and

Penalties

- administrative violations and penalties to CSPs

- cases and amount of penalties to CSPs

CHAPTER IX:

Final provisions

- the level of tariffs established by the homologation

agencies for the homologation of secure-signature-

creation devices and for the additional services

As a result of studying the Romanian legal framework related to PKI the consulting team made

suggestions to improve the legal framework as below:

• Accreditation: accreditation criteria, accreditation procedure and auditing procedure for

CA applicant shall be described more in detail

• Technical requirement: PKI System, facilities/equipment and PKI standards for CA

applicant shall be described in detail

• CP/CPS: The framework of Certificate Policy and Certificate Practice Statement for CA

applicant shall be provided from the government

• In order to provide interface of the certificate from CA, a unified standard for certificate

policy should be defined

• Mandating the use of electronic signature for e-Government services could be considered

as a means of rapidly spreading the use of PKI technology

※ Korea mandated the use of digital signature for internet banking (’02.09), internet

shopping (’05.11), online stock exchange (’03.03), and public services (’06.01).

• National PKI steering committee should be considered to be established to discuss

experiences, knowledge, and pending issues among the experts from related parties

• Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE

COUNCIL on electronic identification and trust services for electronic transactions in

the internal market (EIDAS) should be reviewed and adopted properly

2.3. PKI Policy

Romanian digital signature law defines the Ministry for Information Society (MIS) as the supervisory

and regulatory body of the national PKI in Romania. The MIS is in charge of accrediting and auditing

qualified CAs. The highlights of Romanian PKI Policy are as below:

19


• Qualified CA Accreditation: All qualified digital certificate providers should be

accredited by the specialized supervisory and regulatory authority

• Qualified CA Auditing: Qualification renews every 2 years; Qualified CAs should be

audited by independent external auditors; and annual verification of the systems

• Types of Certificate Providers

- Qualified digital certificates providers can voluntarily request accreditation

- Unqualified digital certificates providers shall notify to the specialized supervisory

and regulatory authority

• Regulations of the information security on e-Government Projects: Not regulated or

controlled by a specific rule or guideline

2.4 PKI Status and Services

The consulting team conducted interviews and Q&A with the person in charge at the certificate

authority to research the PKI status.

The PKI of Romania only issues simple license to the companies applied for certificate authority and

due to the absence of any standardized certificate policies (CP) and guidelines, the Romanian

government cannot have a unified certificate policy for the digital signature of electronic documents.

As of now, each certificate authority has individual policies regarding certificate and issues different

certificates with different profiles.

This inefficient national PKI makes the service customer organizations develop an application that

recognize all the different certificates issued from different authorities, leading to increase in

establishment cost.

In addition, from users’ perspective, multiple certificates should be issued to use different services.

This causes increase in cost for certificates and inefficiency in certificate management.

The current status of each service of certificate issuers is summarized as below:

<Table 6> Qualified CAs in Romania

No. Institutions PKI

Services

Major

Customers

Num. of

Certificate

Issued

Opinions from CAs

1

CERTSIGN

(www.certsi

gn.ro)

CA Service

TSA/OCSP

Service

E-Mail,

Document

Security

E-Procurement

Tax

Declaration

100,000

- As the leader of the market, Certsign

supports the idea of strengthening the

regulations such as refining the qualified CA

auditing procedures

- As the new technology such as mobile

phones and tachograph rises, new

technological standards and guidelines are

necessary

2

DIGISIGN

(www.digisi

gn.ro)

CA Service

TSA/OCSP

Service

SSL Certificate

Code Signing

Certificate

E-Health

Tax

Declaration

E-Procurement

20,000

- Expensive price of qualified certificates

deters further expansion of the digital

signature industry

- Mandatory use of the qualified certificate

for e-Government services shall stimulate

the growth of the market

3

Trans Sped

(www.transs

ped.ro)

CA Service

TSA /OCSP

Service

SSL Certificate

Tax

Declaration

CNAS

Reference

BCR Signature

20,000

- Trans Sped is in close technical

collaboration with TC TrustCenter in

Germany

Trans Sped is more focused on being ready

to comply with the new EU regulations

20


called eIDAS which is aimed to be

published in 2014

4

SC

CENTRUL

DE

CALCUL

SA

(CertDigital

)

(www.certdi

gital.ro)

CA Service

TSA Service

Electronic

prescription

On-line

statements for

individuals or

companies

8,000

Current government guidelines can be

interpreted and implemented differently

depending on CAs in cases such as

certificate renewing procedure, the use of

pseudonym and renting out certificates

Technical standards such as upgrading

“SHA1” algorithm, and the use of

mobile certificate shall be updated

More use of digital certificates in public

services is necessary

5

Alphatrust

(www.alpha

trust.ro)

CA Service

TSA/OCSP

Service

Tax

Declaration 5,000

Digital certificate is mainly used for the

tax declaration of corporate . Considering

the fact that an accountant use one

qualified certificate for multiple

companies, the possibility of market

growth is still low

The comparisons of the certificate profile of five qualified CAs are as follows:

<Table 7> Certificate Profiles in Romania

Field Name Cert Sign DIGISIGN Cert Digital Trans Sped Remarks

Signature

Algorithm SHA1RSA SHA1RSA SHA1RSA SHA1RSA

“SHA2” will

upgrades at the

end of year

Subject

CN = certSIGN CA

Class 2

OU = certSIGN CA

Class 2

O = certSIGN

C = RO

C = RO

O = DigiSign S.A

OU = DigiSign

Public CA

CN = DigiSign

Qualified Public

CA

CN = Cert Digital

Qualified CA

Class 3

OU = Cert Digital

O = Centrul de

Calcul SA

C = RO

CN = Trans Sped

SAFE CA II

OU = Individual

Subscriber CA

O = Trans Sped

SRL

C = RO

DN order shall be

same

Public Key RSA 2,048 (Bits) RSA 4,096 (Bits) RSA 2,048 (Bits) RSA 2,048 (Bits) Key Length shall

be same

CRL Distribution

Point

URL=http://crl.cert

sign.ro/root.crl

URL=ldap://ldap.ce

rtsign.ro/OU=certS

IGN ROOT

CA,O=certSIGN,C

=RO?certificateRev

ocationList;binary

URL=http://crl.di

gisign.ro/qualified

rootcav2/latest.crl

URL=http://crl.ce

rtdigital.ro/rootv1

.crl

URL=https://ca.ce

rtdigital.ro/CRLs/

rootv1.crl

URL=http://crl.tc

class3-

ii.trustcenter.de/cr

l/v2/tc_class_3_ca

_II.crl

URL=ldap://www

.trustcenter.de/CN

=TC%20TrustCe

nter%20Class%20

3%20CA%20II,O

=TC%20TrustCe

nter%20GmbH,O

U=rootcerts,DC=t

rustcenter,DC=de

?certificateRevoc

ationList?base?

CRL Distribution

structure shall be

same for

interoperability

Authority

Information

Access

URL=http://ocsp.ce

rtsign.ro

URL=http://ocsp.

digisign.ro/ocsp

N/A

URL=http://ocsp.t

cclass3-II.de

URL=http://www.

trustcenter.de/cert

services/cacerts/tc

AIA structure

shall be same for

interoperability

21


_class_3_ca_II.crt

22


The major PKI enabled e-Government services in Romania are as follows:

<Table 8> Major PKI enabled Government in Romania

No. Institutions Descriptions

1

Agentia pentru

Agenda Digital a

Romaniei

(AARD)

http://www.aard.ro

- AARD implements and operates e-Government services such as e-

procurement

- AARD operates their own PKI system issuing unqualified certificates

for subscriber authentications

- The e-Procurement system requires two types of digital certificate:

• Login (Authentication) : Unqualified Certificate

• Document Signing (Integrity, Non-Repudiation) : Qualified

Certificate

※ Digitally signed (PKCS#7) documents are stored in database without

any verification and validation at web application server

- AARD implements and operates nationwide electronic Point of Single

Contact (PSC), aiming at streamlining government services, creating an

integrated market, and simplifying service procedures, thereby

developing an interoperable Romanian and pan-European platform

- Citizens can apply for online public services in two ways:

• Scanned electronic documents

• Electronic document with the digital signature using the qualified

certificate

※ There has been no request using qualified certificates yet due to the

low

number of PSC users

2

Tax Declaration

Service

(Ministry of Finance)

- According to the Order of ANAF (National agency for Fiscal

Administration) President, no. 2520/2010 beginning from 25.11.2010,

the big and medium size corporate tax payers as well as their secondary

headquarters are OBLIGED to do the tax declarations by electronic

means of remote transmission

- Qualified certificates are to control e-document securely which is

generated in three cases: Tax declaration; Securing transactions

between Bank and TRF(Transform Registry); e-Payment (planning to

use qualified certificate)

- Digitally signed(PKCS#7) document is verified and validated at web

application server before its storage to the database

- Most banks are using SSL(Secure Socket Layer) and OTP(One Time

Password) for the security of e-transactions. Only a few banks are using

qualified certificate

23


1.2.5 Major findings of PKI

The major findings of PKI status in Romania are summarized in the table below:

<Table 9> Major Finding

No Category Findings Tasks

1 PKI Scheme

No inter-sectoral

working group related to

PKI

- PKI steering committee, with the members

including the qualified CAs and major PKI

vendors, should be created as a place to discuss

regulatory and technical issues of PKI,

especially the Bridge CA project

2 Legal

Framework

The regulations may not

reflect the rapidly

developing technological

environment

- Legal framework should recognize the uprising

of new technologies such as mobile phone,

digital TV, internet Phone, and etc.

- The contents of new EU regulation, eIDAS,

shall be revised based on the need and change

of the market

3 PKI Policy

Detailed Qualified CA

guidelines may promote

the digital signature

market

- Romanian regulations or guidelines on

accrediting and auditing CAs shall fully

comply with the related EU regulations

- PKI policy to promote the market is necessary

4 PKI Industry

Overview

Qualified Certificates

are used only for limited

cases

The market growth is

fairly slow

- More e-Government applications have to be

implemented based on the secure PKI

technology

- Due to the expensive certificate price, the PKI

market hasn’t activated yet

5

Certificate

Profile

(Validation)

Romania’s technical

standard is not up-to-

dated

- Key length and hash algorithm shall be

considered to be upgraded

• Subscriber Key : more than 2,048 bits

• Hash algorithm : more stronger than

“SHA2”

※ Technical standards for the interoperability

among CAs shall be considered

6

PKI enabled

e-Government

Services

Qualified certificate

validation is not

universal

- Validation procedure at web application servers

shall be enhanced

- Implementation of VA(Validation Authority)

can be considered as a means to increase the

efficiency of the qualified certificate

validation

24


III. International

trend for PKI

1. The Current State of Korea PKI

2. The Current State of Brunei PKI

3. The Current State of Kenya PKI

4. The Current State of Cameroon PKI

5. The Current State of Germany PKI

25


1. The Current State of Korea PKI

1.1. Overview

The consulting team studied the Korean case with the contents of current Korean PKI certification

system, digital signature-based authentication technology, certification policy, digital signature and

law/regulations.

<Table 10> Scope of Benchmarking of Korea

Subject Contents

Law, Policy, Standards

Electronic Signature Act, Decree and Ordinance

Certification Practices Statement

Electronic Signature Certification Technology

PKI Model

Government PKI

National PKI

Electronic Signature Promotion

Interoperability among Accredited CAs

Provide User’s Convenience

Cross certification for NPKI and GPKI

Mandating Accredited Certificate (bank, stock)

End of Certificate Free Trial Period

Upgrading of PKI technologies

Division of PKI Markets

Addition of Root CA Certificate to MS IE

PKI Applications E-Procurement, Internet Banking, Payment Gateway, G4C etc

1.2. Status of Laws and Standards

1.2.1. Electronic Signature Act

The Korean Electronic Signature Act (“KESA”) is enforced by the Electronic Signature Act

Enforcement Decree and Electronic Signature Act Enforcement Regulations. Four subordinate rules

also exist governing CA accreditation, Accredited CA’s operation and protection measure, and

subscriber’s Identification and authentication procedures. Based on the statutory and technical

authorities, the Electronic Signature Certification Technology and the CPS (Certificate Practices

Statement) are put in operation.

26


(Figure 7) Structure of electronic signature

<Table 11> Count of law and standards

Type Act Decree and Regulation Notification Standards

Count 1 2 4 33

Definition

Electronic signature is unique information which identifies a person who made an electronic

document and confirms whether the electronic document has been modified or not. The

electronic document has functions such as self-identification, secret protection and tampering

prevention, document forgery and denying himself.

Necessities

Electronic Signature Act is to increase the stability and reliability of electronic documents.

The electronic signature has functions of identification, authentication, and guaranteeing

integrity of electronic document, confidentiality and non-repudiation, and fulfills conditions of

written document and signature by the law. The electronic signature is an introduction to

authentication system to secure stability and integrity of electronic signatures and to activate

usage of electronic documents.

Requirements

o Not changeable : Person who does not have key cannot modify electronic document

o Not forgeable : Person who does not have key cannot create electronic signature

o Not reusable : Electronic signature of document A cannot be replaced by electronic

signature of document B

o Identification : Person who owns the key is the one who performs electronic signature

o Non repudiation : Prevent from repudiate the act of signing for person who has the

key and has performed electronic signing

Fields

o Common electronic commerce

Internet shopping, booking system, billing, goods transport, information

sharing

o Financial field

Internet banking, cyber stock exchanges, insurance, electronic money

o Public field

27


Civil affairs, public document distribution, auction, legal permission, tax,

procurement, in-export clearance, electronic application

o Others

Electronic mails, long distance medical performance, electronic notaries,

electronic verification

History

o Electronic Signature Act: Enacted (Feb, 1999) Decree and Ordinance: enacted (Jun & Aug, 1999)

o Electronic Signature Act: Amended (Dec, 2001)

Decree and Ordinance: Amended (Jun & Aug, 2002)

3 Kinds of Rules and Guidelines: enacted (Nov, 2002)

o Electronic Signature Act as Amended (Dec, 2005)

Division of PKI Markets: To resolve the unfair trade issues arising out of

competition between corporations and non-profit organizations, the KESA

assigns a separate market to non-profit organizations and entities established

by a special law. Section 4.

Unification of accreditation standards: The KESA mandates unification of

different accreditation standards of each CA, and imposes penalties on

violators, thereby guaranteeing stability and reliability in accreditation.

Section 6.

Specification of CPS: The KSEA mandates clarification of the e-signature

accreditation guidelines for CA’s daily operation, and the public access to

them. Section 8.

Ban on discretionary acts and allowance of administrative order: The

amended act authorizes issuance of administrative orders against failure to

report any system error or failure to purchase insurance policies. Section 11.

Specification of audit procedure and scope: To prevent abusive use of

discretion, the KESA clarifies ambiguous or vague provisions, audit criteria

and procedure, paving the way for clean and transparent administration. .

Section 14.

Specification of counter-actions against accreditation errors: The amended

KESA stipulates provisions arising out of normal business operations such as

shutdown of the accreditation system, and thus protects users. Section 22.

Expanded protection for generation of e-signatures: In the past, the KESA

was silent on the use of accredited certificates other than the purpose of

originally authorized. Thus, it was not possible to prosecute even a person

who used, without authorization, the certificate of another person. Section 23.

Reasonable burden of liabilities and insurance obligation for CA: The

previous version of the KESA held CA liable even for any damage arising out

of force maneuver. The amended KESA grants immunity to the CA if it

proves that the damage is not caused by its negligence, and mandates the CA

to take out a liability insurance policy to protect the customers. . Section 26.

Organization of accreditation policy board: To foster fair competition and

balanced development of the market, the amended KESA authorizes

establishment of an accreditation policy board, and empowers it to review

major policies for development of the market. Section 26.

Specification of penalties: The amended KESA fines any entity that requires

certain certificates over the other in violation of interoperability up to 5

million won. . Section 32.

Contents

o Section 3 of the KESA grants legal authority to the accredited e-signatures to boost

the e-commerce.

28


Any duly accredited e-signature is deemed as lawful and legal execution.

It is presumed that if execution of an instrument is made with an accredited e-

signature, said instrument is deemed duly authorized and has not been forged.

o Minister of Information and Communication＊ designates CA.

To secure reliability and authority of e-signature accreditation, the

government, pursuant to the KESA, acknowledges accreditation authorities,

and the Minister of Information and Communication may designate CA from

any eligible central and local government (agency) or corporation. The KESA

also defines eligibility and qualification of CA employee. . Section 4 & 5.

The KESA relegates to the implementation rules (i.e. presidential executive

order) and the authority defines details on the procedure and criteria of

designating CA. Section 4.

o Accreditation management system to guarantee continuity and appropriateness of

accreditation

The KESA defines details about the CA and its business operation, including

how to report accreditation standards, and how to hold or close business

operation of the CA. Section 6 - 10.

The KESA also stimulates how a CA should conduct its business operation

and when to be revoked designation and launch inspection to make sure its

business operation complies with relevant laws. Section 12 & 14.

o Issuance of Certificates

To secure reliability in accreditation, the KESA specifies what should be

incorporated in a certificate, when to issue a certificate and what leads to

suspension or revocation thereof. Section 15 - 18.

o Protection of privacy

The KESA articulates its privacy policy, prohibits, for example, unauthorized

collection, use and disclosure of personal information, and penalizes any

violator. Section 24 & 32 - 34.

o Mutual recognition of certificates issued by foreign authority

Based on the mutual reciprocity principle, the KESA acknowledges the

certificates issued by foreign authorities pursuant to international treaties.

Section 27.

o Obligations and duties of CA

The KESA obliges the CA to, for example, take measures against forgery,

conduct business operations in stable and reliable way, and safely manage e-

signature keys and relevant documents. Section 19, 21 & 22.

The KESA holds the CA liable for any harm or damage caused to the user

arising out of its mal-performance or negligence. Section26.

o Protection of e-signatures and e-documents

To protect the reliance and trust of the public in e-signature and e-document,

the KESA prohibits unauthorized use of another person’s personal

information or e-signature key, and prosecutes any violator. Section 23, 31 &

32.

o Establishment and operation of Korea Certificate Authority Center

The KESA authorizes the KISA to operate the Korea Certificate Authority

Center to manage CA’s efficiently and encourage safe use of e-signatures.

Section 25.

1.2.2. Electronic Signature Act Enforcement Decree, Regulations

Major Points

29


o Accreditation Criteria At least 12 specialized employees are secured to maintain the 24-hour

operation system and to develop relevant technologies.

The initial capital should be at least 8 billion won.

Pursuant to the laws and regulations, a CA has relevant equipment and

facilities, for example, for identification of subscriber, e-signature key

maintenance, safe and reliable management of certificates, verification of e-

signatures and execution times, and protection of certification management

system.

The core certification system shall be operated by at least two operators, and

be duplex-structured against any system failure.

o Independence of CA

A CA shall be independent and free from any interest with the party

subscribing to its certification service.

o CA designation procedure

An entity wishing to be designated as a CA may submit the application and

relevant documents to Minister of Information and Communication.

After screening the applicant in terms of technical and financial qualifications,

the Minster may grant the application upon finding the applicant eligible.

1.2.3. Notifications

Hereunder, a brief explanation will be given concerning four subordinate rules governing publication

of information.

Rules on Accredited Certification Authorities’ Facilities and Equipment

o The object of these regulations is to lay down details of facilities and equipment

pursuant to the provision of Sub clause 3 of Clause 1 of Section 2 of the Enforcement

Decree of the Electronic Signature Act and internal regulations pursuant to the

provision of Sub clause 4 of the same Clause in connection with the asymmetric

encryption-based electronic signature technology.

Rules on Accredited Certification Authorities Protective Measures

o The object of these regulations is to lay down details of the protective measures that

certification authorities must take to ensure the safety of certificatory service facilities

in accordance with Section 18-3 of the Electronic Signature Act and Section 13-4 of

the Enforcement Regulations of the same Act.

Guideline on Electronic Signature Certification Practices

o The object of this guideline is to lay down details of what certification authorities

must observe in performing certification services by means of asymmetric encryption

in order to ensure safety and reliability of certification practices in accordance with

Section 8 of the Electronic Signature.

Methods and Procedures for Identification and Authentication through Representatives

o The purpose of this notification is to define the method and procedure of certification

authorities' identifying those who want to have a certificate issued by the

representative in accordance with the provisions of the latter part of Clause 1 of

Section 15 of the Electronic Signature Act and Clause 3 of Section 13-2 of the

Enforcement Regulations of the same Act.

1.2.4. Major details of electronic signature Act

Certified electronic signature & Not-Certified electronic signature

30


o The coexistence of certified electronic signature and not-certificated electronic

signature is approved

o The certified electronic signature satisfies the requirement of the signature by Act

<Table 12> Differences between certificated signature and not-certified signature

Differences Certified electronic

signature(CA)

Not-Certified electronic

signature

Effects Signature by Act Personal agreement

Effect as evidence in the

code of legal procedure Presumptive effect (○) Presumptive effect (×)

Damage suit Accredited Certification Authority

(Wrongdoer) Victim

Definition of certified electronic signature and its requirements o The markup information for electronic signature must belong only to the subscriber

o The subscriber must own and manage the markup information at the time of signing

o It must be able to confirm whether the proper electronic signature has been modified

or not

Electronic signature certification systems

(Figure 8) NPKI model in Korea

o MOPAS (Ministry Of Public Administration And Security)

Put into order the Act and regulation

Construct national certification system

Assign and control certification authorities

o KISA (Korea Information Security Agency)

Operation of national certification management system

Screening for the certification authorities assignment

31


Issue certification authority certificates

o Accredited Certification Authority

Establishments of Certification work regulation

Provision of Certification services

Issue certificates for subscribers

Annul and Renewal of certificates

Procedure of assignment for accredited CA

(Figure 9) Procedure of assignment for accredited CA

Compensation responsibility of CA

o Related to the certification work at CA, when CA causes any damage or loss to the

user and the subscribers CA has to compensate to the users

o User protection through the demonstration

o CA protection base on the general principle of Act

<Table 13> Compensation responsibility of CA

Statue Act Revised Act of the year

2001

Revised Act of the year

2005

Force majeure,

On propose of the user,

Fault of the user.

In case of force majeure,

decrease the responsibility

of compensation,

When CA proves that there

is no reason to compensate,

there is no responsibility

for CA to compensate.

In case of force majeure,

no responsibility of

compensation

When CA proves that there

is no reason to compensate,

there is no responsibility

for CA to compensate

32


1.2.5. Certification Practices Statement (CPS) The root CA and accredited CA’s shall post the CPS on their homepages and, thus, provide the users

with access thereto all the time. The CPS should contain information on, for example, management of

certificates and key pairs, supplementary services, RA management, and audit management. The table

below contains details incorporated in a CPS.

<Table 14> Contents of CPS Contents Detail

Management of

Certificates

- Transmission of Registered Information

- Request for Issuance of Certificate

- Generation of Certificates

- Request for Suspension, Restoration and Revocation of Certificates

- Generation of Certificate Suspension and Revocation List

- Public Announcement and Validation of Certificates

Management of

Key Pairs

- Generation of Private Pairs

- Protection of Private Pairs

- Backup of Private Pairs

- Revocation of Private Pairs

- Loss, Destruction, Theft or Leakage of Private Keys

Other

Certification

Services

- Provision of Time Stamping

- Time Reception and Correction

- Storage of Time Stamping Records

- Storage of Electronic Documents

- Backup of Time Stamping Records

- Other Supplementary Services

Others

- Conformity with Technical Specifications

- Scope and Intended Use of Certificates

- Conformity to Certification Procedure

- Matters concerning Facilities and Equipment

- Management of Certification Service Records

- Management of Certification Service Records through the representative

- Management of Audit Records

- Management of Registration Authorities

- Test Run of Certification Practice

- Correct Provision of Information and Public Notification

1.2.6. Digital Signature Certification Technology

The Digital Signature Certification Technology is a type of technical standards tailored, based on the

international standards, for South Korea.

Profiles

o RFC3280 serves as basis for the accredited certificate and the CRL profiling.

Certificate Profile for Accredited Certificate

Wire Certificate Profile for Accredited Certificate [V1.10] 2008.10

Wireless Wireless Certificate Profile for Accredited Certificate [V1.21] 2001.08

Certificate Revocation List Profile for Accredited Certificate

Wire Profiling on Certificate Revocation List for Accredited Certificate [V1.10] 2008.10

33


Wireless Wireless Certificate Revocation List Profile for Accredited Certificate [V1.21] 2001.08

Distinguished Name Specification

Common Distinguished Name Specification [V1.10] 2008.10

o This is a standard for indicating accreditation of a certificate. Mark Specification for Accredited Certificate

Common Mark Specification for Accredited Certificate [V1.00] 2008.10

o It is necessary to generate and verify identification of a person, legal or natural, with

SSN or Business Tax ID without disclosure thereof. Thus, relevant procedure should

be provided.

Subscriber Identification Base on virtual ID

Common Subscriber Identification Base on virtual ID [V1.11] 2008.10

Algorithms

o The algorithm used for accreditation purposes shall be defined. One feature of Korea

lies in that it has developed “tailored” algorithms (e.g. KCDSA, HAS-160, SEED,

etc.), along with their international counterparts (e.g. RSA, SHA-1, 3-DES, etc.), and

mandated their use.

Certificate Profile for Accredited Certificate

Wire RSA RSA Laboratories PKCS#1, "RSA Crytography

Specications"

2002.06

ANSI X9.31, "Digital signature Using Reversible Public Key

Cryptography for the Financial Services Industry (rDSA)"

1998.09

KCDSA TTAS.KO-12.0001/R1, Digital Signature Mechanism with

Appendix - Part 2: Certificate-based Digital Signature

Algorithm

2000.12

Wireless RSA RSA Laboratories PKCS#1, "RSA Cryptography

Specifications"

2002.06

ANSI X9.31, "Digital signature Using Reversible Public Key

Cryptographyfor the Financial Services Industry (rDSA)"

2001.08

ECDSA ANSI X9.62, "Public Key Cryptography for the Financial

Services Industry : The Elliptic Curve Digital Signature

Algorithm(ECDSA)"

1998.09

Common Digital Signature Algorithm Specification[v1.20] 2008.10

Hash Algorithm Specification

Wire SHA-1 FIPS PUB 180-1, "SECURE HASH STANDARD" 1995.04

HAS-

160

TTAS.KO-12.0011/R1, Hash Function Standard – Part 2:

Hash Function Algorithm Standard(HAS-160)"

2000.12

Wireless SHA-1 FIPS PUB 180-1, "SECURE HASH STANDARD" 1995.04

Common Hash Algorithm Specification[v.1.10] 2008.10

Encryption Algorithm

Common 3-DES FIPS PUB 46-3, "DATA ENCRYPTION

STANDARD(DES)"

1999.10

SEED TTAS.KO-12.0004, 128-bit Symmetric Block

Cipher(SEED)

1999.09

http://www.rsasecurity.com/rsalabs/node.asp?id=2125


http://webstore.ansi.org/ansidocstore/product.asp?sku=ANSI%2BX9%2E31%2D1998









34


Private-Key Encryption Scheme Specification Using the SEED

Algorithm [v1.20]

2008.10

Management Protocols

Certificate Request Format

Wire Online Certification Request Message Format Protocol

Specification [V1.20] (preparing)

2008.10

Offline RSA Laboratories PKCS#10, "Certification Request

Syntax Standard"

2005.05

Wireless Online Wireless Certification Request Message Format Protocol

Specification [V1.32] (preparing)

2003.12

Offline RSA Laboratories PKCS#10, "Certification Request

Syntax Standard"

2005.05

Common The ReferenceValue/SecretValue Specification for Issuing

Accredited Certificate [v1.10]

2008.10

Operation Protocols

Directory Operation Protocol

Common LDAP Specification [V1.10] 2008.10

Time Stamping Protocol

Common Time Stamp Specification[V1.10] 2008.10

Network Time Protocol

Common Network Time Specification[V1.10] 2008.10

Path Construction and Verification Protocols GPKI and NPKI Interoperability Specification

Common The CTL Technical Specification for Interoperability of Certification

Authorities [V1.30]

2008.10

Online Certificate Validation Protocol

Wireless Online Certificate Validation Protocol [V1.20] 2008.10

Accredited Certificate Path Validation Specification

Common Accredited Certificate Path Validation Specification [V1.10] 2008.10

Others User Interface Specification for the Interoperability of Accredited Certification Authorities

Common User Interface Specification for Accredited CAs [V1.70] 2008.10

Storage Specification for PKI information into HSM

Common Technical Specification for HSM based Certificate Format [v1.10] 2008.10

Application Interface Specification for HSM

Certificate Management Protocol for Accredited Certificate

Wire Certification Management Protocol Specification [V1.20] 2008.10

Wireless Wireless Certification Management Protocol Specification [V1.32] 2003.12

Certification Management Protocol Specification [V1.00](preparing)



35


Common Specification of the Use of Certificates HSM based [v1.80] 2008.10

Cryptographic Key Protection Specification

Common Cryptographic Key Protection Specification [V1.10] 2008.10

Accredited Certificate Updating Specification

Common Accredited Certificate Update Specification [V1.10] 2008.10

Specification for Storing and Using Certificate in Mobile Device

Common Certificate Management in Mobile Device [v1.10] 2008.10

Specification for Transferring Certificate via Mobile Phone

Common Certificate Transmission From PC to Mobile Device[v1.10] 2008.10

1.3. PKI Model

1.3.1. PKI Scheme

South Korea has two PKI structures: GPKI (Government PKI) and NPKI (National PKI). <Table 15> GPKI and NPKI

GPKI NPKI

Act Established in 2001 pursuant to e-

Government Act

Established in 1999 under Electronic

Signature Act

Ministry

in Charge

MOPAS(Ministry Of Public

Administration And Security

MOPAS(Ministry Of Public

Administration And Security

Root CA GCMA (http://www.gpki.go.kr) KISA (http://www.rootca.or.kr)

Main

Customer Public Servants Individuals, Companies

Business

Area G2G, G2B and G2C C2C, B2C, B2B, G2B, G2C, etc.

The KESA laid legal grounds for the NPKI, which was established in 1999. The MOPAS (former,

Ministry of Information and Communication) supervises all procedures and the KISA functions as the

root CA. On the other hand, the GPKI was founded in 2001, pursuant to the E-Government Act. The

MOPAS takes charge of it, and the GCC assumes the role of the root CA.

(Figure 10) Procedure of assignment for accredited CA

36


1.3.2. GPKI (Government PKI)

Background

o Since April of 2000, the GPKI center has handled all matters related to e-signatures of

government agencies. For example, it verifies identification of the sender or receiver

of government e-documents, prevents forgery thereof, and has set up a certification

system to secure safe circulation of government e-documents. The hierarchy of

certificate management starts from the highest CA (MOPAS’s performing roles of CA

and RA, or Registration Authority), down to CA designated by the MOPAS,

registration bodies designated and operated by CA’s, and to remote registration bodies.

At each level, accreditation or relevant works are performed based on certificates.

History o GPKI system was constructed in April 2000 and completed its duplexing in December

2008

GPKI services have been provided to the Administrational EDI since May

2000

GPKI standardized security APIs were developed and supplied in October

2000

o Relevant law and regulations ,in order to introduce GPKI, has been established in

February 2001

o GPKI management system extended from November 2001 to May 2002

o The cross certification between NPKI and GPKI constructed in April 2002

o Korean GPKI constructed in July 2002

Installed and supported GPKI system to registry digital signatures to 25

Registration Authorities from October to December 2002

o The groundwork of GPKI encryption key management had been derived from

February to July

o Wireless Certification System was constructed and advancing certification services

was derived in December 2004

o Wire/wireless Integration Certification Management Center constructed in December

2005

o GPKI Encryption key management system was constructed in February 2006

o Government digital signature authentication and encryption key management system

advanced in November 2007

Relevant Laws

o The Promotion of E-Government Act (Enacted in February of 2001)

Section 20. Certification of e-signatures

Authorities in charge of e-signature certification

(Supreme Court and four Ministers in charge)

Duly certified e-signatures are deemed identical to official seals

o Implementation Rules of the Promotion of E-Government Act

Section 11. Certification of e-signatures

The [MOPAS] operates the GPKI center under its command.- Root CA

o Section 57. Relegation and commission of accreditation

The head of the MOPAS may, in his/her discretion, designate and authorize

as Accredited CA a body of the central government or a local government.

37


Expected effects

o Expected to realize reliable and secure e-administration through construction of

unified certification management system and increased system security

o Expected to enhance “administrative productivity” under the guarantee of security by

the GPKI center and, thereby, through encouragement of e-administration and sharing

of administrative information

o Expected to provide a secure and convenient e-administration service to the public

under the guarantee of privacy of each citizen

Certificate of government e-signature

o Definition: The term “certificate of government e-signature” refers to electronic

information issued to government agencies and workers to verify and prove

authenticity of a government e-signature.

o Usage

Online verification of identity (Certification of government workers and computers)

E-signature (official or personal seal)

Encryption (Confidentiality of documents through transmission)

<Table 16> Type of Certificate

Types Intended Receiver Purpose

For

Official

Use

Electronic

seal

Division of an agency authorized

to have an official seal

To be used to verify identification

related to administrative works

requiring receipt/transmittal

confirmation

Special

electronic

seal

A government body that is

authorized to have an official seal

pursuant Section 36 of the Work

Management Guidelines

To be used for works requiring

special official seals

For

computer

Computer system that processes

administration electronically (e.g.

server, etc.)

To be used for administrative

works that a computer system

continuously processes by some

rules

For Individual Use Government employees

To be used for user certification,

online payment, secured e-mail,

access to VPN, etc.

Status on certification of government e-signature o Hierarchy of certification of government e-signature (as of December 2005)

<Table 17> Status of GPKI

Type Role Organization

Root CA Certification of Accredited CAs MOPAS

CA

Certificate issuance and

management for government

employees

Accreditation and operation of

Registration Authorities (RA)

Five government agencies including

Supreme Public Prosecutors’ Office,

Supreme Court, Ministry of Education

and Ministry of Defect

RA

User identification and registration

management

Accreditation and operation of

29 government agencies including Office

of Presidential Chief of Staffs, Office of

Presidential Secret Detail, Korea Tax

38


remote RAs Service, etc.

Local RA User identification and registration

operation

500 agencies including National

Intelligence Service, Ministry of

Planning and Budget, Board of Audit and

Inspection, etc.

Government

Employee

Use of digital signature, encryption

and certification service

Government employees and authorities

who issued and are using certificates

Construction and operation of unified certification system

o wire and wireless issuance system of GPKI certificates

o Application of the standard API to e-signature and encoding

o Unified verification of GPKI and NPKI

Development and distribution of API

o 4th version distributed in Jan., 2005: Supporting certificates of NPKI and GPKI, and

performing unified certification

o 5th version distributed in Jan., 2006: Augmented security against hacking, and

improved performance

o Each agency has to prepare maintenance plans upon application of new application

services

o Application process

<Table 18> Application Process

Type Detail

Process

Discussion about application of security module submission

of written request (to agency in charge) receipt of request

transmission of reply technical support transmission of

prototype (to agency in need)

Scope Central and local government agencies

Options/language HP-UX, AIX, Redhat, Solaris and Windows; C, C++ and JAVA

Unified verification service

o Supporting verification of GPKI and NPKI certificates with an application through the

unified verification server

o Centralized management of certification policies makes easier to reflect new

technology and relevant standards to the policies

o Easy to apply the security module and to detect problems by an application developer

without having knowledge about certification

Management service of authorized access

o Provision of the SSO (i.e. Single sign on) and unified authorization services for G4C,

eNana, GKMC and at the certification management center

o Verification of interoperability KMS

Observance of wire and wireless GPKI standards, and a guarantee for stability and norm of the

national infrastructure

o Technical standards of certification to verify technical eligibility of the national

certification management center

Wire PKI: Certificate, CRL/ARL, CTL, CMP, OCSP, TSP,

Encryption/Decryption, Digital Signature

Wireless PKI: WCMP, SignedContent, WAP Envelopedata Verification

39


o Failure to meet the standards leads to vulnerability to hacking, and to difficulty in

compatibility and expandability

(Figure 11) GPKI System Configuration

Future development directions

o Certification service improvement

Improvement of certification services such as certificate verification

Increase the use of standardized security APIs

Enhancing the education and training for persons in charge of certification

and users

Development of applications using GPKI

o Laws and regulations Realization of certification policy and CPS

Establishment of criteria for CA auditing and qualifications

Improvement of laws and regulations with regard to encryption key recovery

system

o Operation and management

Government and private cooperation and presenting technical cooperation

system (such a cooperation system of KISA and private CAs)

Establishment of the policy council of GPKIs and regularization

o Wireless certification service Finding wireless GPKI services

Deriving the promotion tasks of wireless GPKI and presenting improvement

methods

40


1.3.3. NPKI (National PKI)

The NPKI consists of the root CA and accredited CA’s, and roles and structures are shown in the

figure below.

MOPAS

Law & Policy arrangement

National authentication plan management

Accredited CA management

Root CA (KISA)

National authentication & system

operation

Field test for accredited CA accreditation

Issue a certificate for a licensed CA

Accredited CA (ACA)

Authentication management

Provide CA service

Certificate issuance

Certificate termination / renewal

(Figure 12) NPKI System Organization

1.3.3.1. Root CA (KISA) - Korea Certificate Authority Center Background

o The Korea Information Security Agency (KISA) was established in April 10, 1996

under the provision of section 52, Promotion of Utilization of Information and

Communication Network and Data Protection Act.

o Organization chart

(Figure 13) Organization chart of KISA

Missions of KISA

o Major working area

Internet incidents response & prevention

Private information and Privacy protection

41


Combating illegal spam

Digital signature management; the Root CA for NPKI

Information Infrastructure protection

IT security products evaluation

Information security policy/technology development

Roles of Root CA

o Operation of Root CA systems: issuing certificates to ACAs, and managing them

o Accreditation Requirement

Financial Capability : More than 8 million US dollars

Personnel Capability : More than 12 persons for CA operation

Facilities and Equipment : Subscriber Registration, Key Management,

Certificate Management, Subscriber’s S/W and Security Operation

Procedures

o CA Accreditation Renewal

Accreditation is valid for 2 years : Apply to MOPAS no later than 30 days

before its expiration

o Accreditation Procedure

(Figure 14) Accreditation Procedure

Accredited CA Management: Actual Examination and Regular Audit for CAs o KISA audits accredited CAs’ operation every year, and verifies whether the CAs

manage their operations securely

o KISA provides self-assessment guideline to accredited CA

42


(Figure 15) Procedure for regular audits

CA Audit Items

<Table 19> CA Audit Items

No. Item Description

1 Certification Service Secure operation procedure such as certificate issuance

2 Key Management Secure operation and management procedures for CA key

3 Other certification

Service

Secure and reliable service like time-stamping

4 Facility and Equipment

Management

Secure and reliable operation and management for CA

system, Network facilities, Physical access control equipment

5 Documents and Record

Management

Management of CA operation rules and certification record

6 Test Operation and

Information providing

Accuracy of CA information providing, secure test operation

7 Network, System and

Physical facilities

Security and reliability of network, system, physical facilities

8

Disaster Recovery and

Business Continuing

Process (BCP)

Security and maintenance of disaster plan

Management of BCP plan and personnel

To conduct researches on legal and policy issues of Electronic Signature

To develop technical standards for National PKI: Diffuse new technologies related to

Electronic Signature and standardize them

To promote electronic signature usage

To support International Cooperation: Research on certification service and mutual

recognition

1.3.3.2. Accredited CAs Statistics on Accredited CAs (As of June, 2006; published by MIC)

o South Korea now has five accredited CA’s: SG, KOSCOM, KFTC, CrossCert and

KTNET.

<Table 20> Statistics on Accredited CAs

No. Accredited CA/Web site Accredited

Date Characteristics

Main Business

Area

1 SGCA(SignGATE)

http://www.signgate.co.kr 2000. 02. 10 Corporation All industries

43


2 KOSCOM (CA: SignKorea)

http://www.signkorea.com 2000. 02. 10

Special purpose

Corporation Cyber trading

3 KFTC (CA: yessign)

http://www.yessign.com 2000. 04. 12

Non-commercial

Organization Internet banking

4 CrossCert (CA: CrossCert)

http://gca.crosscert.com 2001. 11. 24 Corporation All industries

5 KTNET (CA: TradeSign)

http://www.tradesign.net 2002. 03. 11

State-run

Corporation with

special mission

Trading

RA and E-Service Provider (08’ 09.30, MOPAS)

o A RA (i.e. registration authority) refers to an entity which verifies the identity of a

user, while a service provider means an entity which uses accredited certificates for its

services. (As of September 30, 2008; published by MOPAS)

<Table 21> Statistics on RA and e-Service Provider

CA RA Service Organization Notes

KICA 141 281

KOSCOM 94 135

KFTC 22 301

CrossCert 52 63

KTNET 28 36

Total 337 816

Types of Accredited Certificate and Fees

o Certificates have two purposes: general purpose and specific purpose. The certificates

of general purpose are used for any type of transaction and each of them costs US$4

for an individual and US$100 for a corporation. On the other hand, the certificates of

specific purpose are used for a certain transaction only such as banking. In the latter

case, the fees are borne by the business entity.

o Consumers began to pay fees for corporate certificate of general purpose since 2000,

and for individual certificate of general purpose since June of 2004.

<Table 22> Types of Certificate and Fee

Types Entity Certificate Usage Field Fee

General Individual All electronic transactions 4,400 won ( US$ 4)

Corporation All electronic transactions 100,000 won ( US$ 100)

Specific

- G2C, Bank, Insurance Free

- G2C, Stock, Insurance Free

- G4C, Credit Card Free

Number of Users and Certificates Issued (as of February 28, 2009; published by MIC)

o Approximately 29 million certificates have been issued. Individual users take out

certificates for purposes such as Internet banking, stock trading and credit card

payment, while corporate users for online procurement, tax payment, and other

payments.

44


<Table 23> Statistics on issued certificates

Number of annual issuance of certificates (08’ 09.30, published by MOPAS)

o Issuance has been on steady rise since 2000, and is expected to continue the trend

considering the increasing demand for wireless accredited certificates and device

certificates.

(Figure 16) Annual Issuance of Certificates

CA Server

Individual

Corporation Total General

Purpose

Specific Purpose

Bank/

Insurance

Stock/

Insurance

Credit

Card

Special

Purpose

KICA 2992 803,606 1,027,421 0 5 66,348 446,225 2,346,597

KOSCOM 707 1,270,163 0 2,728,417 333 112,967 112,706 4,225,293

KFTC 287 284,113 20,192,180 0 0 0 1,972,121 22,448,701

CrossCert 442 404,795 676 0 0 53,083 193,405 652,401

KTNET 261 2,778 0 0 0 11,221 139,947 154,207

SUM 4,689 2,765,455 21,220,277 2,728,417 338 243,619 2,864,404 29,827,199

45


2. The State of Brunei PKI

2.1. E-Government Institutional Structure

E-Government National Centre played a leading role for organization establishment in order for each

government agency to conduct e-services through mutual cooperation between government authorities

(Figure 17) e-Government Institutional Structure in Brunei

EGLF (E-Government Leadership Forum) o Chaired by Minister of Energy, PMO.

o Members consisting of Permanent Secretaries from Ministries

o To modernize the civil service in meeting the public service delivery expectations and

managing the challenging demands of a dynamic environment through increased

usage of ICT.

o To set strategic policy directions and be accountable for the overall delivery of the e-

Government initiative and

o To give quarterly report to His Majesty the Sultan and Yang Di-Pertuan of Brunei

Darussalam

Overall Government CIO o Deputy Permanent Secretary at PMO

o To identify, create and realize more value to current and proposed systems and

applications to best serve the Government, citizens, communities and businesses

particularly on citizen-centric services.

o To ensure alignment of the e-Government programs and projects are aligned to the

strategic direction and any other directive from the EGLF.

o Managing performance and feedback from Ministries CIO

o Escalate matters raised by CIO and cascade directives from EGLF

EGNC (e-Government National Centre)

o Service Operation for Government

o ICT Central Procurement

46


o ICT Human Resource Management

o Strategic e-Government planner *

o Technical Advisory *

o EGLF secretariat *

o Note: * Previously the role of E-Government Technical Authority Body (EGTAB)

CIO Meeting (*previously known as CIO Dialogue)

o Chaired by Overall Government CIO

o Gather inputs from CIOs at the various Ministries and reports them to EGLF

o Cascading of policies, guidelines etc.

o Endorsing non-flagship e-Government projects

Industry Dialogue Session

o Chaired by overall Government CIO

o Attended by representative from the ICT industry including IFB

o Gather industry feedback and comments

o To socialize policies, regulations etc.

Ministries

o Responsible for the implementation and management of projects and e-services

ITPSS (IT Protective Security Services Sdn Bhd) o Exclusive security services provider for the E-Government

AITI (Authority for Info-communications Technology Industry)

o Infocommunications regulator

o Development of ICT industry in Brunei Darussalam

2.2. PKI Hierarchy in Brunei

MOF (Ministry of Finance) o MOF is Controller of Certification Authorities defined by Electronic Transactions Act.

o MOF may make regulations for detail guidelines the regulation and licensing of

certification authorities

EGNC (E-Government National Centre)

o EGNC is government CA for secure email and web server certificate for public

servant and government organization.

o EGNC PKI system operated by EGNC datacenter and Backup.

o EGNC has Root CA system which issues CA certificate for EGNC government CA.

o The numbers of RA are 5 and EGNC.

47


(Figure 18) PKI Scheme in Brunei

2.3. Legal Framework of PKI in Brunei

(Figure 19) PKI legal Framework in Brunei

Brunei only has Electronic Transaction Act which is very similar with Singaporean Act.

Korea PKI consultants had proposed that the legal framework of PKI in Brunei will follow

Singaporean legal structure (ETA - ETR - Guidelines).

48


2.4. PKI application in Brunei TAFIS (Treasury Accounting and Financial Information System)

o TAFIS will apply certificate based login process instead of ID/Password in order to

increase security and authentication.

o The Government CA in EGNC will issue certificates for TAFIS users using HSM.

o Promoting to improve the public reliability through development of e-government

services which are possible on the internet by digitally signing

(Figure 20) PKI based login in TAFIS System

49


3. The State of Kenya PKI

3.1. E-Government Institutional Structure

Cabinet Committee o the top of the structure and comprises of ; Minister of state for Provincial

Administration and National Security (Chair), Minister for Finance, Minister for

Information & communications, and Minister for Education Science & Technology. It

oversaw the implementation of the e-Government strategy

(Figure 21) e-Government Institutional Structure in Kenya

Permanent Secretaries Committee o It is consisted of Permanent Secretaries and Accounting Officers.

o Implementing of selected e-Government initiatives by providing ownership

o Institutional support

National Communication Secretariat (NCS)

o Formulate info-communication policies and recommendations

o Carry out telecommunications and postal policy, research and analysis

o Conduct continuous review of all phases of development in info-communications

o Assist in the preparation of country position papers for all international meetings

o Update sector policy statements, sessional papers and legislations pertaining to info

communications

50


3.2. PKI Hierarchy

Ministry of Information and Communications

o Developing ICT policy including information policy, communication policy, film

development policy

o Coordinating the dissemination of public information and the development of national

communications capacity

Communications and Commission of Kenya(CCK)

o Regulatory authority for the communications sector in Kenya

o Facilitating the development of the information and communications sectors

(including broadcasting, multimedia, telecommunications and postal services) and

electronic commerce, and the management of the country’s radiofrequency spectrum.

Kenya ICT Board

o Positioning and promoting Kenya as an ICT destination (locally and internationally)

o Promoting Business Process Outsourcing (BPO) and Offshoring;

o Advising the government on all relevant matters pertaining to the development and

promotion of ICT industries in the country

o Providing government and other stakeholders with skills, capacity and funding for

anchor implementation of ICT projects for development

o Coordinating, directing and implementing anchor ICT projects within Government

(Figure 22) PKI Scheme in Kenya

3.3. Legal Framwork

The highest legislation pertaining to PKI in Kenya is “Kenya Information and Communications Act of

1998 CAP 411A”(hereinafter KICA) and, under KICA, “ELECTRONIC CERTIFICATION AND

DOMAIN NAME ADMINISTRATION REGULATION 2010” describes in more details.

51


(Figure 23) PKI legal Framework in Kenya

CCK (Communication Commission of Kenya), who will be taking a role of Root Certificate Authority

in Kenya National Public Key Infrastructure, defines license framework for Certificate Service

Provider (CSP’s) or Certificate Authority that issues certificates through “Technical rollout

requirements for Certification Service Provider.”

The legislative framework for national PKI is depicted as below.

<Table 24> Legislative Framework

3.4. PKI application

Kenya Revenue Authority (KRA) has come up with a new online system, iTax, meant to improve the

existing Integrated Tax Management System (ITMS). iTax is an integrated, web enabled and secure

application that provides an automated solution for administration of domestic taxes. The system is

aimed at improving compliance and reduces cases of tax evasion. Kenya Revenue Authority (KRA)

has a plan to apply certificate based login process instead of ID/Password in order to increase security

and authentication in near future.

Development of Pilot Application Integration o The Government CA will issue certificates for KRA users.

o Promoting to improve the public reliability through development of e-government

services which are possible on the internet by digitally signing

o Collecting requirements for applying PKI to e-government services and related

development

Category Contents

LAW Kenya Information and Communication Act Chapter 114A

Regulation

Kenya Information and Communication Act

(ELECTRONIC CERTIFICATION AND DOMAIN NAME

ADMINISTRATION) REGULATION 2010

Policy and License

Framework

Technical Rollout Requirements for Certification Service

Providers(CSP’s)

52


4. The State of Cameroon PKI

4.1. PKI Hierarchy

Ministry of Communication and Information(MINPOSTEL)

o contributing to the development of infrastructure and network access to new

information and communication technologies

o Supervising public enterprises operating information and communication technologies

sector

o Formulates PKI-relevant policies

o Derives cooperation from relevant agencies

National Agency for Information and Communication Technologies (ANTIC)

o Promotion and monitoring of public policy on Information Technology and

Communication (ICT)

o Developing and monitoring the implementation of the national strategy for ICT

development;

o Developing policies and procedures for registration of ICT environment

o PKI Center Operation

o Provides administrative and technical supports for Government RA and Accredited

CA

(Figure 24) PKI Scheme in Cameroon

53


4.2. Legal Framework In December, 2010, the President of the Republic enacted the Law on Electronic Commerce including

part of electronic signatures.

4.3. PKI application ANTIC is considering issue certificate to bank clerks of Cameroon Postal Services (CAMPOST ).

CAMPOST will enhance the security of e-POST with PKI (strong authentication, digital signature,

data encryption).“current-account” and “money-transfer” of E-POST will be secured with PKI as a

pilot application

The figure below shows concept of e-Post with PKI.

(Figure 25) e-Post in Cameroon

Bank user requests a certificate to teller (RA administrator) in face to face.

Teller registers user information to CA. and gets an issuance code number for certificate.

Bank user is issued a certificate to their laptop by issuance code number.

Bank user access to E-Post System by certificate based login.

E-Post System verify certificate of bank user. If valid, E-Post system offers a banking service.

54


5. The State of Germany PKI

5.1. PKI Hierarchy in Germany

(Figure 26) PKI hierarchy in Germany

Two Root CAs were established to provide certification service for private and public sector

Accredited CAs issue digital certificates to citizens, private companies and servers (G2C, G2B,

B2B)

Government CAs issue digital certificates to public officials (G2G)

5.2. Legal Framework of PKI in Germany

(Figure 27) PKI legal Framework in Germany

Digital Signature Act (SigG) is in effect from May 2001, and the first time amendment SigG*

entered into force in January 2005.

SigG* states the Federal Network Agency as the supervisory/ accreditation body for CAs and

Root CA.

BSI (Federal Office for Information Security) is the root CA for the public sector, verification,

and confirmation agency.

55


5.3. PKI application in Germany A SSL Certificate costs from USD 7 for an individual, and about USD 150 for a corporate

Certification service providers are allowed to use data for the purpose of identification of an

applicant that they already have collected at an earlier point in time, if the applicant agrees to

this simplified identification procedure. CSP also can use applicant identification data from

third parties or they can shift the task of applicant identification to another company, which is

aimed at promoting the use of qualified certificate in banking.

5.4. PKI Policy Accounting

o Principles of data access and the verifiability of digital documentation (GDPdU), in a

letter from the Federal Ministry of Finance dated 16th July, 2001, contains rulings on

the retention of digital documentation and the obligations of cooperation of taxpayers

for company audit.

o The GDPdU stipulations include the retention of invoice stating the invoice must bear

a certified electronic signature.

E-Government

o E-Government Act (’13.8) came into effect and main provisions are

Obligation for the opening of an electronic channel and for the opening of a e-

mail access;

Principles of electronic filing and scanning of the replacing;

Relief in the provision of electronic evidence and electronic payment in

administrative procedures;

Fulfillment of obligations by electronic publication and promulgation of

official leaves;

Obligation to document and analysis processes

Regulation for the supply of machine-readable data files by the administration

Electronic Identity Card

o Germany is using eID from 2010

o eID is used for authentication, and signing on e-documents with digital signature

56


6. Regulation (EU) No 910/2014

REGULATION (EU) No 910/2014 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

of 23 July 2014

on electronic identification and trust services for electronic transactions in the internal market and

repealing Directive 1999/93/EC

THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION,

Having regard to the Treaty on the Functioning of the European Union, and in particular Article 114

thereof,

Having regard to the proposal from the European Commission,

After transmission of the draft legislative act to the national parliaments,

Having regard to the opinion of the European Economic and Social Committee ( 1 ),

Acting in accordance with the ordinary legislative procedure ( 2 ),

Whereas:

(1) Building trust in the online environment is key to economic and social development.

Lack of trust, in particular because of a perceived lack of legal certainty, makes

consumers, businesses and public authorities hesitate to carry out transactions

electronically and to adopt new services.

(2) This Regulation seeks to enhance trust in electronic transactions in the internal market by

providing a common foundation for secure electronic interaction between citizens,

businesses and public authorities, thereby increasing the effectiveness of public and

private online services, electronic business and electronic commerce in the Union.

(3) Directive 1999/93/EC of the European Parliament and of the Council ( 3 ), dealt with

electronic signatures without delivering a comprehensive cross-border and cross-sector

framework for secure, trustworthy and easy-to-use electronic transactions. This

Regulation enhances and expands the acquis of that Directive.

(4) The Commission communication of 26 August 2010 entitled ‘A Digital Agenda for

Europe’ identified the fragmentation of the digital market, the lack of interoperability and

the rise in cybercrime as major obstacles to the virtuous cycle of the digital economy. In

its EU Citizenship Report 2010, entitled ‘Dismantling the obstacles to EU citizens’

rights’, the Commission further highlighted the need to solve the main problems that

prevent Union citizens from enjoying the benefits of a digital single market and cross-

border digital services.

(5) In its conclusions of 4 February 2011 and of 23 October 2011, the European Council

invited the Commission to create a digital single market by 2015, to make rapid progress

in key areas of the digital economy and to promote a fully integrated digital single market

by facilitating the cross-border use of online services, with particular attention to

facilitating secure electronic identification and authentication.

(6) In its conclusions of 27 May 2011, the Council invited the Commission to contribute to

the digital single market by creating appropriate conditions for the mutual recognition of

key enablers across borders, such as electronic identification, electronic documents,

electronic signatures and electronic delivery services, and for interoperable e-government

services across the European Union.

(7) The European Parliament, in its resolution of 21 September 2010 on completing the

internal market for e-commerce ( 1 ), stressed the importance of the security of electronic

services, especially of electronic signatures, and of the need to create a public key

infrastructure at pan-European level, and called on the Commission to set up a European

validation authorities gateway to ensure the cross-border interoperability of electronic

signatures and to increase the security of transactions carried out using the internet.

57


(8) Directive 2006/123/EC of the European Parliament and of the Council ( 2 ) requires

Member States to establish ‘points of single contact’ (PSCs) to ensure that all procedures

and formalities relating to access to a service activity and to the exercise thereof can be

easily completed, at a distance and by electronic means, through the appropriate PSC

with the appropriate authorities. Many online services accessible through PSCs require

electronic identification, authentication and signature.

(9) In most cases, citizens cannot use their electronic identification to authenticate

themselves in another Member State because the national electronic identification

schemes in their country are not recognised in other Member States. That electronic

barrier excludes service providers from enjoying the full benefits of the internal market.

Mutually recognised electronic identification means will facilitate cross-border provision

of numerous services in the internal market and enable businesses to operate on a cross-

border basis without facing many obstacles in interactions with public authorities.

(10) Directive 2011/24/EU of the European Parliament and of the Council ( 3 ) set up a

network of national authorities responsible for e-health. To enhance the safety and the

continuity of cross-border healthcare, the network is required to produce guidelines on

cross-border access to electronic health data and services, including by supporting

‘common identification and authentication measures to facilitate transferability of data in

cross- border healthcare’. Mutual recognition of electronic identification and

authentication is key to making cross- border healthcare for European citizens a reality.

When people travel for treatment, their medical data need to be accessible in the country

of treatment. That requires a solid, safe and trusted electronic identification framework.

(11) This Regulation should be applied in full compliance with the principles relating to

the protection of personal data provided for in Directive 95/46/EC of the European

Parliament and of the Council ( 4 ). In this respect, having regard to the principle of

mutual recognition established by this Regulation, authentication for an online service

should concern processing of only those identification data that are adequate, relevant

and not excessive to grant access to that service online. Furthermore, requirements under

Directive 95/46/EC concerning confidentiality and security of processing should be

respected by trust service providers and supervisory bodies.

(12) One of the objectives of this Regulation is to remove existing barriers to the cross-

border use of electronic identification means used in the Member States to authenticate,

for at least public services. This Regulation does not aim to intervene with regard to

electronic identity management systems and related infrastructures established in

Member States. The aim of this Regulation is to ensure that for access to cross-border

online services offered by Member States, secure electronic identification and

authentication is possible.

(13) Member States should remain free to use or to introduce means for the purposes of

electronic identification for accessing online services. They should also be able to decide

whether to involve the private sector in the provision of those means. Member States

should not be obliged to notify their electronic identification schemes to the Commission.

The choice to notify the Commission of all, some or none of the electronic identification

schemes used at national level to access at least public online services or specific services

is up to Member States.

(14) Some conditions need to be set out in this Regulation with regard to which

electronic identification means have to be recognised and how the electronic

identification schemes should be notified. Those conditions should help Member States

to build the necessary trust in each other’s electronic identification schemes and to

mutually recognise electronic identification means falling under their notified schemes.

The principle of mutual recognition should apply if the notifying Member State’s

electronic identification scheme meets the conditions of notification and the notification

was published in the Official Journal of the European Union. However, the principle of

58


mutual recognition should only relate to authentication for an online service. The access

to those online services and their final delivery to the applicant should be closely linked

to the right to receive such services under the conditions set out in national legislation.

(15) The obligation to recognise electronic identification means should relate only to

those means the identity assurance level of which corresponds to the level equal to or

higher than the level required for the online service in question. In addition, that

obligation should only apply when the public sector body in question uses the assurance

level ‘substantial’ or ‘high’ in relation to accessing that service online. Member States

should remain free, in accordance with Union law, to recognise electronic identification

means having lower identity assurance levels.

(16) Assurance levels should characterise the degree of confidence in electronic

identification means in establishing the identity of a person, thus providing assurance that

the person claiming a particular identity is in fact the person to which that identity was

assigned. The assurance level depends on the degree of confidence that electronic

identification means provides in claimed or asserted identity of a person taking into

account processes (for example, identity proofing and verification, and authentication),

management activities (for example, the entity issuing electronic identification means

and the procedure to issue such means) and technical controls implemented. Various

technical definitions and descriptions of assurance levels exist as the result of Union-

funded Large-Scale Pilots, standardisation and international activities. In particular, the

Large-Scale Pilot STORK and ISO 29115 refer, inter alia, to levels 2, 3 and 4, which

should be taken into utmost account in establishing minimum technical requirements,

standards and procedures for the assurances levels low, substantial and high within the

meaning of this Regulation, while ensuring consistent application of this Regulation in

particular with regard to assurance level high related to identity proofing for issuing

qualified certificates. The requirements established should be technology-neutral. It

should be possible to achieve the necessary security requirements through different

technologies.

(17) Member States should encourage the private sector to voluntarily use electronic

identification means under a notified scheme for identification purposes when needed for

online services or electronic transactions. The possibility to use such electronic

identification means would enable the private sector to rely on electronic identification

and authentication already largely used in many Member States at least for public

services and to make it easier for businesses and citizens to access their online services

across borders. In order to facilitate the use of such electronic identification means across

borders by the private sector, the authentication possibility provided by any Member

State should be available to private sector relying parties established outside of the

territory of that Member State under the same conditions as applied to private sector

relying parties established within that Member State. Consequently, with regard to

private sector relying parties, the notifying Member State may define terms of access to

the authentication means. Such terms of access may inform whether the authentication

means related to the notified scheme is presently available to private sector relying

parties.

(18) This Regulation should provide for the liability of the notifying Member State, the

party issuing the electronic identification means and the party operating the

authentication procedure for failure to comply with the relevant obligations under this

Regulation. However, this Regulation should be applied in accordance with national rules

on liability. Therefore, it does not affect those national rules on, for example, definition

of damages or relevant applicable procedural rules, including the burden of proof.

(19) The security of electronic identification schemes is key to trustworthy cross-border

mutual recognition of electronic identification means. In this context, Member States

59


should cooperate with regard to the security and interoperability of the electronic

identification schemes at Union level. Whenever electronic identification schemes

require specific hardware or software to be used by relying parties at the national level,

cross-border interoperability calls for those Member States not to impose such

requirements and related costs on relying parties established outside of their territory. In

that case appropriate solutions should be discussed and developed within the scope of the

interoperability framework. Nevertheless technical requirements stemming from the

inherent specifications of national electronic identification means and likely to affect the

holders of such electronic means (e.g. smartcards), are unavoidable.

(20) Cooperation by Member States should facilitate the technical interoperability of the

notified electronic identification schemes with a view to fostering a high level of trust

and security appropriate to the degree of risk. The exchange of information and the

sharing of best practices between Member States with a view to their mutual recognition

should help such cooperation.

(21) This Regulation should also establish a general legal framework for the use of trust

services. However, it should not create a general obligation to use them or to install an

access point for all existing trust services. In particular, it should not cover the provision

of services used exclusively within closed systems between a defined set of participants,

which have no effect on third parties. For example, systems set up in businesses or public

administrations to manage internal procedures making use of trust services should not be

subject to the requirements of this Regulation. Only trust services provided to the public

having effects on third parties should meet the requirements laid down in the Regulation.

Neither should this Regulation cover aspects related to the conclusion and validity of

contracts or other legal obligations where there are requirements as regards form laid

down by national or Union law. In addition, it should not affect national form

requirements pertaining to public registers, in particular commercial and land registers.

(22) In order to contribute to their general cross-border use, it should be possible to use

trust services as evidence in legal proceedings in all Member States. It is for the national

law to define the legal effect of trust services, except if otherwise provided in this

Regulation.

(23) To the extent that this Regulation creates an obligation to recognise a trust service,

such a trust service may only be rejected if the addressee of the obligation is unable to

read or verify it due to technical reasons lying outside the immediate control of the

addressee. However, that obligation should not in itself require a public body to obtain

the hardware and software necessary for the technical readability of all existing trust

services.

(24) Member States may maintain or introduce national provisions, in conformity with

Union law, relating to trust services as far as those services are not fully harmonised by

this Regulation. However, trust services that comply with this Regulation should

circulate freely in the internal market.

(25) Member States should remain free to define other types of trust services in addition

to those making part of the closed list of trust services provided for in this Regulation, for

the purpose of recognition at national level as qualified trust services.

(26) Because of the pace of technological change, this Regulation should adopt an

approach which is open to innovation.

(27) This Regulation should be technology-neutral. The legal effects it grants should be

achievable by any technical means provided that the requirements of this Regulation are

met.

(28) To enhance in particular the trust of small and medium-sized enterprises (SMEs)

and consumers in the internal market and to promote the use of trust services and

products, the notions of qualified trust services and qualified trust service provider should

60


be introduced with a view to indicating requirements and obligations that ensure high-

level security of whatever qualified trust services and products are used or provided.

(29) In line with the obligations under the United Nations Convention on the Rights of

Persons with Disabilities, approved by Council Decision 2010/48/EC ( 1 ), in particular

Article 9 of the Convention, persons with disabilities should be able to use trust services

and end-user products used in the provision of those services on an equal basis with other

consumers. Therefore, where feasible, trust services provided and end-user products used

in the provision of those services should be made accessible for persons with disabilities.

The feasibility assessment should include, inter alia, technical and economic

considerations.

(30) Member States should designate a supervisory body or supervisory bodies to carry

out the supervisory activities under this Regulation. Member States should also be able to

decide, upon a mutual agreement with another Member State, to designate a supervisory

body in the territory of that other Member State.

(31) Supervisory bodies should cooperate with data protection authorities, for example,

by informing them about the results of audits of qualified trust service providers, where

personal data protection rules appear to have been breached. The provision of

information should in particular cover security incidents and personal data breaches.

(32) It should be incumbent on all trust service providers to apply good security practice

appropriate to the risks related to their activities so as to boost users’ trust in the single

market.

(33) Provisions on the use of pseudonyms in certificates should not prevent Member

States from requiring identification of persons pursuant to Union or national law.

(34) All Member States should follow common essential supervision requirements to

ensure a comparable security level of qualified trust services. To ease the consistent

application of those requirements across the Union, Member States should adopt

comparable procedures and should exchange information on their supervision activities

and best practices in the field.

(35) All trust service providers should be subject to the requirements of this Regulation,

in particular those on security and liability to ensure due diligence, transparency and

accountability of their operations and services. However, taking into account the type of

services provided by trust service providers, it is appropriate to distinguish as far as those

requirements are concerned between qualified and non-qualified trust service providers.

(36) Establishing a supervisory regime for all trust service providers should ensure a

level playing field for the security and accountability of their operations and services,

thus contributing to the protection of users and to the functioning of the internal market.

Non-qualified trust service providers should be subject to a light touch and reactive ex

post supervisory activities justified by the nature of their services and operations. The

supervisory body should therefore have no general obligation to supervise non-qualified

service providers. The supervisory body should only take action when it is informed (for

example, by the non-qualified trust service provider itself, by another supervisory body,

by a notification from a user or a business partner or on the basis of its own investigation)

that a non-qualified trust service provider does not comply with the requirements of this

Regulation.

(37) This Regulation should provide for the liability of all trust service providers. In

particular, it establishes the liability regime under which all trust service providers should

be liable for damage caused to any natural or legal person due to failure to comply with

the obligations under this Regulation. In order to facilitate the assessment of financial

risk that trust service providers might have to bear or that they should cover by insurance

policies, this Regulation allows trust service providers to set limitations, under certain

conditions, on the use of the services they provide and not to be liable for damages

61


arising from the use of services exceeding such limitations. Customers should be duly

informed about the limitations in advance. Those limitations should be recognisable by a

third party, for example by including information about the limitations in the terms and

conditions of the service provided or through other recognisable means. For the purposes

of giving effect to those principles, this Regulation should be applied in accordance with

national rules on liability. Therefore, this Regulation does not affect those national rules

on, for example, definition of damages, intention, negligence, or relevant applicable

procedural rules.

(38) Notification of security breaches and security risk assessments is essential with a

view to providing adequate information to concerned parties in the event of a breach of

security or loss of integrity.

(39) To enable the Commission and the Member States to assess the effectiveness of the

breach notification mechanism introduced by this Regulation, supervisory bodies should

be requested to provide summary information to the Commission and to European Union

Agency for Network and Information Security (ENISA).

(40) To enable the Commission and the Member States to assess the effectiveness of the

enhanced supervision mechanism introduced by this Regulation, supervisory bodies

should be requested to report on their activities. This would be instrumental in facilitating

the exchange of good practice between supervisory bodies and would ensure the

verification of the consistent and efficient implementation of the essential supervision

requirements in all Member States.

(41) To ensure sustainability and durability of qualified trust services and to boost users’

confidence in the continuity of qualified trust services, supervisory bodies should verify

the existence and the correct application of provisions on termination plans in cases

where qualified trust service providers cease their activities.

(42) To facilitate the supervision of qualified trust service providers, for example, when a

provider is providing its services in the territory of another Member State and is not

subject to supervision there, or when the computers of a provider are located in the

territory of a Member State other than the one where it is established, a mutual assistance

system between supervisory bodies in the Member States should be established.

(43) In order to ensure the compliance of qualified trust service providers and the

services they provide with the requirements set out in this Regulation, a conformity

assessment should be carried out by a conformity assessment body and the resulting

conformity assessment reports should be submitted by the qualified trust service

providers to the supervisory body. Whenever the supervisory body requires a qualified

trust service provider to submit an ad hoc conformity assessment report, the supervisory

body should respect, in particular, the principles of good administration, including the

obligation to give reasons for its decisions, as well as the principle of proportionality.

Therefore, the supervisory body should duly justify its decision to require an ad hoc

conformity assessment.

(44) This Regulation aims to ensure a coherent framework with a view to providing a

high level of security and legal certainty of trust services. In this regard, when addressing

the conformity assessment of products and services, the Commission should, where

appropriate, seek synergies with existing relevant European and international schemes

such as the Regulation (EC) No 765/2008 of the European Parliament and of the Council

( 1 ) which sets out the requirements for accreditation of conformity assessment bodies

and market surveillance of products.

(45) In order to allow an efficient initiation process, which should lead to the inclusion of

qualified trust service providers and the qualified trust services they provide into trusted

lists, preliminary interactions between prospective qualified trust service providers and

62


the competent supervisory body should be encouraged with a view to facilitating the due

diligence leading to the provisioning of qualified trust services.

(46) Trusted lists are essential elements in the building of trust among market operators

as they indicate the qualified status of the service provider at the time of supervision.

(47) Confidence in and convenience of online services are essential for users to fully

benefit and consciously rely on electronic services. To this end, an EU trust mark should

be created to identify the qualified trust services provided by qualified trust service

providers. Such an EU trust mark for qualified trust services would clearly differentiate

qualified trust services from other trust services thus contributing to transparency in the

market. The use of an EU trust mark by qualified trust service providers should be

voluntary and should not lead to any requirement other than those provided for in this

Regulation.

(48) While a high level of security is needed to ensure mutual recognition of electronic

signatures, in specific cases, such as in the context of Commission Decision 2009/767/EC

( 1 ), electronic signatures with a lower security assurance should also be accepted.

(49) This Regulation should establish the principle that an electronic signature should not

be denied legal effect on the grounds that it is in an electronic form or that it does not

meet the requirements of the qualified electronic signature. However, it is for national

law to define the legal effect of electronic signatures, except for the requirements

provided for in this Regulation according to which a qualified electronic signature should

have the equivalent legal effect of a handwritten signature.

(50) As competent authorities in the Member States currently use different formats of

advanced electronic signatures to sign their documents electronically, it is necessary to

ensure that at least a number of advanced electronic signature formats can be technically

supported by Member States when they receive documents signed electronically.

Similarly, when competent authorities in the Member States use advanced electronic

seals, it would be necessary to ensure that they support at least a number of advanced

electronic seal formats.

(51) It should be possible for the signatory to entrust qualified electronic signature

creation devices to the care of a third party, provided that appropriate mechanisms and

procedures are implemented to ensure that the signatory has sole control over the use of

his electronic signature creation data, and the qualified electronic signature requirements

are met by the use of the device.

(52) The creation of remote electronic signatures, where the electronic signature creation

environment is managed by a trust service provider on behalf of the signatory, is set to

increase in the light of its multiple economic benefits. However, in order to ensure that

such electronic signatures receive the same legal recognition as electronic signatures

created in an entirely user-managed environment, remote electronic signature service

providers should apply specific management and administrative security procedures and

use trustworthy systems and products, including secure electronic communication

channels, in order to guarantee that the electronic signature creation environment is

reliable and is used under the sole control of the signatory. Where a qualified electronic

signature has been created using a remote electronic signature creation device, the

requirements applicable to qualified trust service providers set out in this Regulation

should apply.

(53) The suspension of qualified certificates is an established operational practice of trust

service providers in a number of Member States, which is different from revocation and

entails the temporary loss of validity of a certificate. Legal certainty calls for the

suspension status of a certificate to always be clearly indicated. To that end, trust service

providers should have the responsibility to clearly indicate the status of the certificate and,

if suspended, the precise period of time during which the certificate has been suspended.

63


This Regulation should not impose the use of suspension on trust service providers or

Member States, but should provide for transparency rules when and where such a

practice is available.

(54) Cross-border interoperability and recognition of qualified certificates is a

precondition for cross-border recognition of qualified electronic signatures. Therefore,

qualified certificates should not be subject to any mandatory requirements exceeding the

requirements laid down in this Regulation. However, at national level, the inclusion of

specific attributes, such as unique identifiers, in qualified certificates should be allowed,

provided that such specific attributes do not hamper cross-border interoperability and

recognition of qualified certificates and electronic signatures.

(55) IT security certification based on international standards such as ISO 15408 and

related evaluation methods and mutual recognition arrangements is an important tool for

verifying the security of qualified electronic signature creation devices and should be

promoted. However, innovative solutions and services such as mobile signing and cloud

signing rely on technical and organisational solutions for qualified electronic signature

creation devices for which security standards may not yet be available or for which the

first IT security certification is ongoing. The level of security of such qualified electronic

signature creation devices could be evaluated by using alternative processes only where

such security standards are not available or where the first IT security certification is

ongoing. Those processes should be comparable to the standards for IT security

certification insofar as their security levels are equivalent. Those processes could be

facilitated by a peer review.

(56) This Regulation should lay down requirements for qualified electronic signature

creation devices to ensure the functionality of advanced electronic signatures. This

Regulation should not cover the entire system environment in which such devices operate.

Therefore, the scope of the certification of qualified signature creation devices should be

limited to the hardware and system software used to manage and protect the signature

creation data created, stored or processed in the signature creation device. As detailed in

relevant standards, the scope of the certification obligation should exclude signature

creation applications.

(57) To ensure legal certainty as regards the validity of the signature, it is essential to

specify the components of a qualified electronic signature, which should be assessed by

the relying party carrying out the validation. Moreover, specifying the requirements for

qualified trust service providers that can provide a qualified validation service to relying

parties unwilling or unable to carry out the validation of qualified electronic signatures

themselves, should stimulate the private and public sector to invest in such services. Both

elements should make qualified electronic signature validation easy and convenient for

all parties at Union level.

(58) When a transaction requires a qualified electronic seal from a legal person, a

qualified electronic signature from the authorised representative of the legal person

should be equally acceptable.

(59) Electronic seals should serve as evidence that an electronic document was issued by

a legal person, ensuring certainty of the document’s origin and integrity.

(60) Trust service providers issuing qualified certificates for electronic seals should

implement the necessary measures in order to be able to establish the identity of the

natural person representing the legal person to whom the qualified certificate for the

electronic seal is provided, when such identification is necessary at national level in the

context of judicial or administrative proceedings.

(61) This Regulation should ensure the long-term preservation of information, in order to

ensure the legal validity of electronic signatures and electronic seals over extended

64


periods of time and guarantee that they can be validated irrespective of future

technological changes.

(62) In order to ensure the security of qualified electronic time stamps, this Regulation

should require the use of an advanced electronic seal or an advanced electronic signature

or of other equivalent methods. It is foreseeable that innovation may lead to new

technologies that may ensure an equivalent level of security for time stamps. Whenever a

method other than an advanced electronic seal or an advanced electronic signature is used,

it should be up to the qualified trust service provider to demonstrate, in the conformity

assessment report, that such a method ensures an equivalent level of security and

complies with the obligations set out in this Regulation.

(63) Electronic documents are important for further development of cross-border

electronic transactions in the internal market. This Regulation should establish the

principle that an electronic document should not be denied legal effect on the grounds

that it is in an electronic form in order to ensure that an electronic transaction will not be

rejected only on the grounds that a document is in electronic form.

(64) When addressing formats of advanced electronic signatures and seals, the

Commission should build on existing practices, standards and legislation, in particular

Commission Decision 2011/130/EU ( 1 ).

(65) In addition to authenticating the document issued by the legal person, electronic

seals can be used to authenticate any digital asset of the legal person, such as software

code or servers.

(66) It is essential to provide for a legal framework to facilitate cross-border recognition

between existing national legal systems related to electronic registered delivery services.

That framework could also open new market opportunities for Union trust service

providers to offer new pan-European electronic registered delivery services.

(67) Website authentication services provide a means by which a visitor to a website can

be assured that there is a genuine and legitimate entity standing behind the website.

Those services contribute to the building of trust and confidence in conducting business

online, as users will have confidence in a website that has been authenticated. The

provision and the use of website authentication services are entirely voluntary. However,

in order for website authentication to become a means to boosting trust, providing a

better experience for the user and furthering growth in the internal market, this

Regulation should lay down minimal security and liability obligations for the providers

and their services. To that end, the results of existing industry-led initiatives, for example

the Certification Authorities/Browsers Forum — CA/B Forum, have been taken into

account. In addition, this Regulation should not impede the use of other means or

methods to authenticate a website not falling under this Regulation nor should it prevent

third country providers of website authentication services from providing their services to

customers in the Union. However, a third country provider should only have its website

authentication services recognised as qualified in accordance with this Regulation, if an

international agreement between the Union and the country of establishment of the

provider has been concluded.

(68) The concept of ‘legal persons’, according to the provisions of the Treaty on the

Functioning of the European Union (TFEU) on establishment, leaves operators free to

choose the legal form which they deem suitable for carrying out their activity.

Accordingly, ‘legal persons’, within the meaning of the TFEU, means all entities

constituted under, or governed by, the law of a Member State, irrespective of their legal

form.

(69) The Union institutions, bodies, offices and agencies are encouraged to recognise

electronic identification and trust services covered by this Regulation for the purpose of

administrative cooperation capitalising, in particular, on existing good practices and the

results of ongoing projects in the areas covered by this Regulation.

65


(70) In order to complement certain detailed technical aspects of this Regulation in a

flexible and rapid manner, the power to adopt acts in accordance with Article 290 TFEU

should be delegated to the Commission in respect of criteria to be met by the bodies

responsible for the certification of qualified electronic signature creation devices. It is of

particular importance that the Commission carry out appropriate consultations during its

preparatory work, including at expert level. The Commission, when preparing and

drawing up delegated acts, should ensure a simultaneous, timely and appropriate

transmission of relevant documents to the European Parliament and to the Council.

(71) In order to ensure uniform conditions for the implementation of this Regulation,

implementing powers should be conferred on the Commission, in particular for

specifying reference numbers of standards the use of which would raise a presumption of

compliance with certain requirements laid down in this Regulation. Those powers should

be exercised in accordance with Regulation (EU) No 182/2011 of the European

Parliament and of the Council ( 1 ).

(72) When adopting delegated or implementing acts, the Commission should take due

account of the standards and technical specifications drawn up by European and

international standardisation organisations and bodies, in particular the European

Committee for Standardisation (CEN), the European Telecommunications Standards

Institute (ETSI), the International Organisation for Standardisation (ISO) and the

International Telecommunication Union (ITU), with a view to ensuring a high level of

security and interoperability of electronic identification and trust services.

(73) For reasons of legal certainty and clarity, Directive 1999/93/EC should be repealed.

(74) To ensure legal certainty for market operators already using qualified certificates

issued to natural persons in compliance with Directive 1999/93/EC, it is necessary to

provide for a sufficient period of time for transitional purposes. Similarly, transitional

measures should be established for secure signature creation devices, the conformity of

which has been determined in accordance with Directive 1999/93/EC, as well as for

certification service providers issuing qualified certificates before 1 July 2016. Finally, it

is also necessary to provide the Commission with the means to adopt the implementing

acts and delegated acts before that date.

(75) The application dates set out in this Regulation do not affect existing obligations

that Member States already have under Union law, in particular under Directive

2006/123/EC.

(76) Since the objectives of this Regulation cannot be sufficiently achieved by the

Member States but can rather, by reason of the scale of the action, be better achieved at

Union level, the Union may adopt measures, in accordance with the principle of

subsidiarity as set out in Article 5 of the Treaty on European Union. In accordance with

the principle of proportionality, as set out in that Article, this Regulation does not go

beyond what is necessary in order to achieve those objectives.

(77) The European Data Protection Supervisor was consulted in accordance with Article

28(2) of Regulation (EC) No 45/2001 of the European Parliament and of the Council ( 2 )

and delivered an opinion on 27 September 2012 ( 3 ),

66


References

[x500] ITU-T Recommendation X.500 – Information technology – Open Systems Interconnection

– The Directory: Overview of concepts, models and services, 2001


– The Directory: Models, 2001

[x509] ITU-T Recommendation X.509 – Information technology –Open Systems Interconnection

– The Directory: Authentication Framework, 1997


– The Directory: Selected attribute types, 2001


– The Directory: Selected object classes, 2001

[x690] ITU-T Recommendation X.690 – Information technology – ASN.1 encoding rules:

Specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and

Distinguished Encoding Rules (DER), 1998

[2251] Lightweight Directory Access Protocol (v3) Internet Request For Comments 2251

December 1997

[2252] Lightweight Directory Access Protocol (v3): Attribute Syntax Definitions. Internet Request

For Comments 2252 December 1997

[2253] Lightweight Directory Access Protocol (v3): UTF-8 String Representation of Distinguished

Names Internet Request For Comments 2253 December 1997

[2254] The String Representation of LDAP Internet Request For Comments 2254 December 1997

[2255] The LDAP URL Format Internet Request For Comments 2255 December 1997

[2256] A Summary of the X.500 (96) User Schema for use with LDAPv3 Internet Request For

Comments 2256 December 1997

[2279] UTF-8, a transformation format of ISO 10646 Internet Request For Comments 2279

January 1998

[2396] Uniform Resource Identifiers (URI): Generic Syntax Internet Request For Comments 2396

August 1998

[2459] Internet X.509 Public Key Infrastructure Certificate and CRL Profile Internet Request For

Comments 2459 January 1999

[2559] Internet X.509 Public Key Infrastructure Operational Protocols - LDAPv2 Internet Request

For Comments 2559 April 1999

[2560] X.509 Internet Public Key Infrastructure Online Certificate Status Protocol – OCSP

Schema Internet Request For Comments 2560 June 1999.

[2587] Internet X.509 Public Key Infrastructure LDAPv2 Schema Internet Request For Comments

2587 June 1999

[3280] Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL)

Profile Internet Request For Comments 3280 April 2002

[p10] PKCS 10: Certification Request Syntax Version 1.0, 1993

[p12] PKCS 12 v1.0: Personal Information Exchange Syntax, 1999

[RD1] Interoperability sub-project, final report, minimum standards and profiles for

interoperability, ref. 3AT 05025 AAAA DTZZA, version 3, dated 12 November 2001

67


Glossary

ARL Authority Revocation List

ASN.1 Abstract Syntax Notation One

B2B Business to Business

BCA Bridge Certification Authority

BER Basic Encoding Rules

CA Certification Authority

CRL Certificate Revocation List

CC Cross Certification

CP Certificate Policy

CPS Certificate Practice Statement

CSP Certification Service Provider

CTL Certificates Trust List

DAP Directory Access Protocol

DER Distinguished Encoding Rules

DIT Directory Information Tree

DN Distinguished Name

EE End entity

LDAP Lightweight Directory Access Protocol

MS Member state

OCSP Online Certificate Status Protocol

OID Object Identifier

PKCS Public Key Cryptography Standard

PKI Public Key Infrastructure

RDN Relative Distinguished Name

RA Registration Authority

SCA Subordinate CA

VA Validation Authority

Mr. Jong Min, Choi,

Managing Director,

Korea Information Certificate Authority (KICA) Republic of Korea

Mr. Seung Ho, Ryu

Manager,

Korea Information Certificate Authority (KICA) Republic of Korea