Leslie Romeo Head of De-Mail & Trust Services 1&1 De-Mail GmbH – Member of United Internet
EIDAS – OPPORTUNITIES AND RISKS IN INTERNATIONAL COMPETITION FOR TSPS
CA-Day 2016 – 19.09.2016
1&1 – Member of United Internet AG
Requirements according to eIDAS (for qualified electronic registered delivery services)
De-Mail (vs. / =) eIDAS?
Opportunities without risks?
Avoiding risks, making it work!
© 1&1 De-Mail GmbH – Leslie Romeo 2
Agenda
22.09.2016
Strong Team 8 200 employees (2 700 in product
management, development and system administration)
Sales Power about 3.2 million contracts annually 50 000 sign-ups for free services daily Operational Excellence 49 million accounts in 11 countries 7 Certified Data Centers 70 000 servers in the EU and US Powerful Network Infrastructure 41 000 km optical fibre network
1&1 - Member of United Internet AG Access Applications
Network
Devices
Content
Software
© 1&1 De-Mail GmbH – Leslie Romeo 3 22.09.2016
1&1 - Member of United Internet AG
© 1&1 De-Mail GmbH – Leslie Romeo 4 22.09.2016
Legal effect (Art. 43) “1. (…) using an electronic registered delivery service shall not be denied legal effect and admissibility as evidence in legal proceedings solely on the grounds that it is in an electronic form (…)” “2. (…) using a qualified electronic registered delivery service shall enjoy the presumption of the integrity of the data, the sending of that data by the identified sender, its receipt by the identified addressee and the accuracy of the date and time of sending and receipt indicated by the qualified electronic registered delivery service.”
Requirements (Art. 44) Certification: „(…) provided by (…) qualified trust service providers;“ Identification: „(…) high level of confidence the identification of the sender / adressee Integrity Protection: „(…) secured by an advanced electronic signature (…) or seal (…)“ Qualified electronic time stamp: „(…) Date and time of sending, receiving and any change of data
are indicated by a qualified electronic time stamp.“
Requirements for qual. electr. registered delivery services
© 1&1 De-Mail GmbH – Leslie Romeo 5 22.09.2016
Same legal effect as paperbased transactions
Legal effect as qualified electronic signature, for that the effect of an actual signature
Certification, Identification, Integrity Protection, Qualified Signature lead to the legal effects by proven privacy, integrity, authenticity and liability
Target: Digital Transformation of paper mail.
Facts De-Mail (§§ 1ff. De-Mail G) Accredited De-Mail service provider Identification beyond a reasonable doubt
of all Users as foundation of a De-Mail account (LOA 4)
Continuous Integrity Protection Qualified signed received receipt, delivery
receipt, and read receipt including time stamp.
Requirements for qualified electronic registered delivery services (Art. 44 (1) eIDAS (…) qualified trust service provider(s) (…) a high level of confidence the
identification of the sender; (…) the identification of the addressee
before the delivery of the data; (…) preclude the possibility of the data
being changed undetectably; the date and time of sending, receiving
and any change of data are indicated by a qualified electronic time stamp.
De-Mail (=)* eIDAS! *Confirmed by BSI, BNetzA and BfDI
Target: Trusted Services have the same legally binding status as the paper process.
De-Mail vs. eIDAS? Comparison of Standards - The facts:
© 1&1 De-Mail GmbH – Leslie Romeo 22.09.2016 6
In Germany the certification as De-Mail Provider is one possibility to become a qualified trust service Provider according to eIDAS. (so far the only one)
eIDAS the modell of sucess
eIDAS the enabler of distortion of competition
Opportunities without risks? No Way!
Possible and likely different interpretations of the Regulation by the member states and companies
© 1&1 De-Mail GmbH – Leslie Romeo 7 22.09.2016
Opportunities EU-wide standardization
Harmonization of different solutions
in the member states.
Uniform requirements
Uniform legal effects.
Level playing field on a european single digital market
Risks Only abstract rules in eIDAS
Regulation for qualified electronic registered delivery services
Missing detailed implemeting acts
Missing use cases
Missing interoperability
The vagueness of the eIDAS Regulation leads to: Different requirements in conformity with a wide variation in measurement Different barriers for market entry for TSPs Different barriers of product entry for users Different levels of assessment in regard of security, privacy, integrity, etc. Impossibility of interoperability
Consequence: Market distortion Uncertainty of the user No mandatory interoperarbility Lowest assessment level will always be lowest bidder Security situation in EU will deteriorate overall
Risks
© 1&1 De-Mail GmbH – Leslie Romeo 8 22.09.2016
the market stays as heterogeneous (and insecure) as it is now, but with a legal blessing.
Ensure a level playing field Create implementing acts Reference mandatory international standards Ensure and enforce the same level of assessemt across the EU
Promote rapid dissemination across all target groups Visible and mandatory offer by public sector Mandatory usecases (at least for business users and public sector), Modell Denmark Visibility for end user Involvement of entities that will disseminate information.
Improve usage possibilities and create more incentives Reduce entry barriers (e.g. possibilities of identification) Subsidise usage
Making it work
© 1&1 De-Mail GmbH – Leslie Romeo 9 22.09.2016
Questions?
???????
© 1&1 De-Mail GmbH – Leslie Romeo 10 22.09.2016
Contact
1&1 De-Mail GmbH Leslie Romeo Ernst-Frey-Straße 10 Head of De-Mail & Trust Services 76135 Karlsruhe Germany Phone +49 721 91374-3973 [email protected] [email protected] www.1und1.de
© 1&1 De-Mail GmbH – Leslie Romeo 11 22.09.2016
THANK YOU FOR YOUR ATTENTION!
Backup
Service Provider Sender
Service Provider Recipient
Recipient
De-Mail = eIdas! Overview of Functions:
Interoperational protocol between service providers
Protocol depending on sender client
• Web browser • E-Mail-Client • Plugin Solutions • OSCI-Client • Gateway
• Verification/ adding of meta data • Integritiy protection on message
level • Encryption on message level • Delivery receipt
Requirements of the transmission protocol between service providers
• Delivery receipt • Encryption • Verification of meta
data and Integrity
Protocol depending on
recipient client
Sender
Optional: End-to-end encryption
• Web browser • E-Mail-Client • Plugin-Solution • OSCI-Client • Gateway
© 1&1 De-Mail GmbH – Leslie Romeo 14 22.09.2016
1&1 IT infrastructure is certified according to the De-Mail standard (BSI and BfDI) and intents to be recognized as a qualified eIDAS trust service (process pending) by July, 1st.
The infrastructure is based on widely used and recognized international standards in the E-Mail environment (SMTP, S/MIME, SSL, etc.) and it is globally adaptable.
Technical specifications of the De-Mail standard have already been introduced in international standardisation bodies.
possible next steps to offer and implement eIDAS compliant qualified trustservices:
Interoperability Scope Expansion / Scalability
Certified Infrastructure in EU
The 1&1 infrastructure can thus be implemented as already certified cost-saving white label solution („SAAS“/„managed“/“on premise“).
Operating for EU memberstates as nationwide or distributed system..
Highly scalable (from 1-10 million users upwards).
The SPOCS project, sponsored by the EU commission, has drawn up procedures for the interoperability of systems operating according to the De-Mail standard with systems of other member states.
De-Mail based systems are an integrated part of the eSense project in regards to the cross-border legally binding communication with France, Austria, Slovenia and Greece.
De-Mail erstellen
Kurze, automatisierte und entschlüsselte Prüfung (Spam / Viren) im flüchtigen
Speicher
Übermittlung über verschlüsseltem Kanal
Anzeige der De-Mail
De-Mail Dienste- anbieter Sender
De-Mail Dienste- anbieter Empfänger Empfänger
Sender
• Zweistufige Anmeldung
• Zwei-Faktor-Authentifikation (Besitz/Wissen)
• Vertrauliche Transportkanäle
• Integritätsschutz durch DKIM-Signatur
• Pentests • Striktes Rollen-Berechtigungskonzept • durchgänginges 4-Augen-Prinzip • Redudante Systeme • DMDA-DMDA-Kommunikation über SSL-Tunnel • Dokumentenverschlüsselung • Schutz vor SPAM, VIren und Maleware
• Vertrauliche Transportkanäle
• Integritätsschutz durch DKIM-Signatur
• Zweistufige Anmeldung
• Zwei-Faktor-
Authentifikation (Besitz/Wissen)
• Qualifizierte elektronische Signaturen • Qualifiziert signierte Abhol-, Versand- und Eingangsbestätigung • Algorithmen gemäß Vorgaben des BSI
Kurze, automatisierte und entschlüsselte Prüfung (Spam / Viren) im flüchtigen
Speicher
Verschlüsselte Ablage
im Postfach
Verschlüsselte Ablage
im Postfach
• Umgebung vom BSI nach ISO 27001 auf Basis IT-Grundschutz und durch BfDI nach Datenschutz Kriterienkatalog zertifiziert und unter ständiger Kontrolle
Absicherungsübersicht
• ca. 80% des Markts national verteilt
• ca. 70% De-Mail Potential auf „einem Klick“ (akkr. DMDAs) Situation De-Mail (07/2014):
• 70% aller privaten Mailnutzer werden durch akkreditierte DMDAs direkt erreicht und haben De-Mail „auf einen Klick“ verfügbar.
• ca. 1 Mio. Endnutzer verbindlich unter Vertrag (50% identifiziert)
• ca. 50.000 Unternehmen mit De-Mail Domain unter Vertrag
• Erleichterung der Ende-zu-Ende Verschlüsselung durch die Integration von PGP in De-Mail per Ende 2014
Nationale Anbieter mit rechtssicherer Lösung: Nationale Anbieter: US-Provider:
WEB.DE 27%
GMX 27%
1&1 5%
T-Online 9% Freenet
4%
Arcor 3%
Kabel Dt. 1%
Microsoft 8%
Google 7%
Yahoo 4% AOL
4%
De-Mail gut gestartet, aber noch kein Durchbruch