Social Icons

twitterfacebookgoogle pluslinkedinrss feedemail


Wednesday, June 26, 2013

An electronic signature bridge between continents

If one bases its thoughts on the news that come from Google Alerts on "electronic signature" and "digital signature" might think that in the United States people only sign electronically on tablets (handwritten signature capture) and in real estate businesses.

If so, what future has all the investment made by Europe in promoting (not explicitly, of course, here we make laws "technologically neutral") signature systems based on electronic certificates and PKIs (Public Key Infrastructure) and in second instance, cryptographic Smartcards (where European companies like Gemalto and Giesecke & Devrient are major players in the world)? Of course we would not be going towards solutions widely adopted ...

But it turns out that not only of signature capture U.S. lives. Looking for anything else led me to the ETSI TR 102 458 V1.1.1 (2006-04) Technical Report, Electronic Signatures and Infrastructures (ESI); Mapping Matrix Comparison Between the U.S. Federal Bridge CA Certificate Policy and the European Qualified Certificate Policy (TS 101 456.)

electronic signature bridge between continents

The first thing that strikes us is that we have stayed in a very initial version (1.1.1.) In fact, looking at the version history, it is the first published version ...

The second thing you notice is the age of the document (2.006!) And any revisions have not been published.

And the third is, but if in the U.S. they sign on tablets, what you're talking about U.S. Federal Bridge CA (FBCA)? So also in the U.S., it seems the important things are signed using certificates, asymmetric cryptography and PKIs.

A short introduction to the U.S. Federal Bridge CA

The FBCA is an information system that facilitates acceptance of certificates for transactions. Since its initial conceptualization and operation, the FBCA has evolved into the Federal Public Key Infrastructure Architecture (FPKIA) that encompasses Certification Authorities (CAs) from multiple vendors supporting different FPKI policy and function.

It has been designed to create trust paths among individual Agency PKIs and employs a distributed - NOT a hierarchical - model.

Commercial CA products participate within the membrane of the Bridge and it develops cross-certificates within the membrane to bridge the gap among dissimilar products.

Well implemented could lead to the reduction of the number of certificate policies (ES) that are causing so much unnecessary work in Spain.

The appropriateness of the mapping

As I mentioned earlier, this membrane aims to equate certificates from different Certification Services Providers, through cross-certification, that meet certain similar requirements (basically security and procedural), so that a certificate can be used in environments for which the other certificates have been developed. For example, the Qualified Certificates under European law can be used at the Department of Defense (DoD) of USA, which has its own PKI.

Of the different levels defined by the FBCA, the ETSI 102 458 shows the equivalence between the medium level of the FBCA and qualified certificates (QCP - Qualified Certificate Policy) defined in another ETSI (TS 101 456). The medium level includes the options "medium hardware" equivalent qualified certificate + secure-signature creation (QCP + SSCD) and "medium - Commercial Best Practices".

The document faces off the different sections of the QCP (ETSI TS 101 456), with the corresponding in the FBCA CP, indicating its degree of equivalence, which can be:
  • Exceeds: The FBCA CP provides a higher level of assurance/security than the QCP requirement. 
  • Equivalent: The FBCA CP provides exactly the same assurance/security as the QCP requirement. 
  • Comparable: The FBCA CP provides a comparable level of assurance/security as the QCP requirement. 
  • Partial: The FBCA CP contains policy that is comparable, but it does not address the entire QCP requirement. 
  • Not Comparable: The FBCA CP contains dissimilar contents, which provide a lower level of assurance/security than the QCP requirement. 
  • Missing: The FBCA CP does not contain contents that can be compared to the QCP requirement in any way. 
  • N/A (Not Applicable): The FBCA implementation is such that mapping the FBCA CP to the QCP requirement in this area is not appropriate.
Both a summary of the matrix, which by extension (despite being a summary) I do not include, as the detail of the comparative study are in the technical report to which this post is referred (ETSI 102 458.)

As a conclusion ...

... should be noted that the mapping is positive, ie the levels are comparable, with the greatest differences regarding key management and services offered to subscribers and relying parties.

As expected, QCP requirements provide more guarantees over individuals.

Unfortunately ...

.. and as already noted, this white paper has not been revised since 2006, and it is based on the FBCA CP Version 1, which defined a set of seven (7) certificate policies for five (5) security levels (Rudimentary , Basic, Medium, Medium Hardware, and High), while the current version is 2.26 April 2012 and defines twelve (12) certificate policies for six (6) security levels (Rudimentary, Basic, Medium, PIV-I Card Authentication, Medium Hardware, and High.)

A review of the report is necessary if Europe wants that our Certification Service Providers can go out and sell outside Europe.

Do you think this is an interesting post? Just help me sharing it by clicking one of the buttons below.

No comments:

Post a Comment