IntroSec

Added information from Trust chapter.

1 files changed, 51 insertions, 1 deletions

diff --git a/en_GB/Introduction to Information Security/introduction_to_information_security.md b/en_GB/Introduction to Information Security/introduction_to_information_security.md
index f8e5f93..5df6055 100644
--- a/en_GB/Introduction to Information Security/introduction_to_information_security.md
+++ b/en_GB/Introduction to Information Security/introduction_to_information_security.md
@@ -384,6 +384,53 @@ Infrastructure providing the service of public key distribution.
   Medium. CA checks same as *DV* + company identity checked by third parties.
 - Extended Validation SSL Certificate (EV cert)  
   Expensive. CA checks same as *OV* + official record matching.
+
+### Electronic Signatures
+
+*Digital Signatures* are signatures created by a public / private key pair and built upon mathematical evidence.
+However, there is no court accepting this as a "signature" in a classic sense.  
+*Electronic Signatures* are binding documents with legal persons. So entering a name in some document count as electronic signature.
+This provides no integrity checks or mathematical validation.
+
+#### eIDAS
+
+With EU Regulation # 940/2014 (eIDAS), *Electronic Seals* come into place. They are issued by legal persons and provide integrity service.
+A seal from a representative might also be accepted.  
+Also, *Trust Services* have been introduced. They provide approved procedures to convey a high level of trust.
+They are identified by the EU trust mark. Trust services provide a "Beweisumkehr" to them, if something goes wrong.  
+*Advanced Electronic Signatures* are electronic signatures with mathematical evidence, de facto implemented with *digital signatures*.  
+*Qualified Electronic Signatures* are electronic signatures created by a *qualified electronic signature creation device*.
+
+#### Identity Proofing and Verification
+
+| Proof level | Meaning |
+| --- | --- |
+| Low | Person *can be assumed* to possess this identity evidence of the member state in some form. |
+| Substantial | Person *has been verified* to possess the identity it claims by the member state. |
+| High | Person *has been verified* to be in possession of photo or biometric evidence. |
+
+#### Registration Authorities
+
+One has to have the possession of a certificate for the "Signaturgesetz".
+
+1. *Registration Authority* checks the identity of that person.
+2. *Certificate Authority* generates the certificate.
+
+*X.509* provedes certificate revocation lists for revoked certificates.
+This has to be handled online by *OCSP* servers. This may lead to high traffic.
+
+#### eID Public Key Infrastructure
+
+- *Document Signer* (DS)
+- *Country Signing Certificate Authority* (CSCA): Issues certificates for signers.
+- *Country Verifying Certificate Authority* (CVCA): Issues certificates to verifiers.
+
+#### Verification Procedure
+
+1. Digital signature binds document to public key.
+2. Certificate binds public key to name.
+3. Procedures at CA check correspondence between name and person.
+4. Operational procedures check that the person is holding the private key.
   
 ## Cryptocurrencies
 
@@ -435,7 +482,7 @@ Privacy is based on the *Universal Declaration of Human Rights*. No one shall be
 
 Member states shall protect the rights guaranteed in the *Universal Declaration of Human Rights*.
 But member states shall also not restrict the free flow of data between states.
-Tese *directives* are not *laws*. It is up to the states to implements the *directives* how they like.
+These *directives* are not *laws*. It is up to the states to implements the *directives* how they like.
 
 #### Terminology
 
@@ -456,6 +503,9 @@ Tese *directives* are not *laws*. It is up to the states to implements the *dire
 
 ### EU General Data Protection Regulation (GDPR)
 
+Compared to *directives*, *regulations* are directly implemented as laws to the courts,
+independent of the member state culture.
+
 - Penalties: 4% of annual global turnover.
 - Request consent in a more accessible form (explainations to the DAU)
 - Breach notification