From 93bcbc79afb52cfa189ef5ee86804d8bb19fb645 Mon Sep 17 00:00:00 2001 From: Leonard Kugis Date: Mon, 9 Mar 2020 18:22:46 +0100 Subject: IntroSec Added information from Trust chapter. --- .../introduction_to_information_security.md | 52 +++++++++++++++++++++- 1 file changed, 51 insertions(+), 1 deletion(-) diff --git a/en_GB/Introduction to Information Security/introduction_to_information_security.md b/en_GB/Introduction to Information Security/introduction_to_information_security.md index f8e5f93..5df6055 100644 --- a/en_GB/Introduction to Information Security/introduction_to_information_security.md +++ b/en_GB/Introduction to Information Security/introduction_to_information_security.md @@ -384,6 +384,53 @@ Infrastructure providing the service of public key distribution. Medium. CA checks same as *DV* + company identity checked by third parties. - Extended Validation SSL Certificate (EV cert) Expensive. CA checks same as *OV* + official record matching. + +### Electronic Signatures + +*Digital Signatures* are signatures created by a public / private key pair and built upon mathematical evidence. +However, there is no court accepting this as a "signature" in a classic sense. +*Electronic Signatures* are binding documents with legal persons. So entering a name in some document count as electronic signature. +This provides no integrity checks or mathematical validation. + +#### eIDAS + +With EU Regulation # 940/2014 (eIDAS), *Electronic Seals* come into place. They are issued by legal persons and provide integrity service. +A seal from a representative might also be accepted. +Also, *Trust Services* have been introduced. They provide approved procedures to convey a high level of trust. +They are identified by the EU trust mark. Trust services provide a "Beweisumkehr" to them, if something goes wrong. +*Advanced Electronic Signatures* are electronic signatures with mathematical evidence, de facto implemented with *digital signatures*. +*Qualified Electronic Signatures* are electronic signatures created by a *qualified electronic signature creation device*. + +#### Identity Proofing and Verification + +| Proof level | Meaning | +| --- | --- | +| Low | Person *can be assumed* to possess this identity evidence of the member state in some form. | +| Substantial | Person *has been verified* to possess the identity it claims by the member state. | +| High | Person *has been verified* to be in possession of photo or biometric evidence. | + +#### Registration Authorities + +One has to have the possession of a certificate for the "Signaturgesetz". + +1. *Registration Authority* checks the identity of that person. +2. *Certificate Authority* generates the certificate. + +*X.509* provedes certificate revocation lists for revoked certificates. +This has to be handled online by *OCSP* servers. This may lead to high traffic. + +#### eID Public Key Infrastructure + +- *Document Signer* (DS) +- *Country Signing Certificate Authority* (CSCA): Issues certificates for signers. +- *Country Verifying Certificate Authority* (CVCA): Issues certificates to verifiers. + +#### Verification Procedure + +1. Digital signature binds document to public key. +2. Certificate binds public key to name. +3. Procedures at CA check correspondence between name and person. +4. Operational procedures check that the person is holding the private key. ## Cryptocurrencies @@ -435,7 +482,7 @@ Privacy is based on the *Universal Declaration of Human Rights*. No one shall be Member states shall protect the rights guaranteed in the *Universal Declaration of Human Rights*. But member states shall also not restrict the free flow of data between states. -Tese *directives* are not *laws*. It is up to the states to implements the *directives* how they like. +These *directives* are not *laws*. It is up to the states to implements the *directives* how they like. #### Terminology @@ -456,6 +503,9 @@ Tese *directives* are not *laws*. It is up to the states to implements the *dire ### EU General Data Protection Regulation (GDPR) +Compared to *directives*, *regulations* are directly implemented as laws to the courts, +independent of the member state culture. + - Penalties: 4% of annual global turnover. - Request consent in a more accessible form (explainations to the DAU) - Breach notification -- cgit v1.2.1