Trust services are meant to add integrity, authenticity and confidentiality to electronic communications, and therefore they are a key factor to boost the citizens’ confidence in online transactions. The whole lifecycle of trust service provision, from the issuance of a certificate to its revocation, as well as all the added services, such as signature verification or long term preservation, need to be equipped with strong security measures to guarantee trust is not broken in any step of the process.
The European Commission, aware of the importance of advancing towards a mature and harmonized trust services market, presented in July 2012 a proposal for a new Regulation on electronic identification and trust services for electronic transactions, which will supersede the current Directive 1999/93/EC on a Community framework for electronic signatures.
Art. 15 of the proposed Regulation establishes certain provisions regarding the security requirements applicable to trust service providers. Art 15.1. points that trust service providers shall appropriate technical and organisational measures manage the risks posed to the security of their services. The article stresses that these measures shall ensure that the level of security is appropriate to the degree of risk, they shall prevent and minimise the impact of security incidents and inform stakeholders of adverse effects of any incidents.
In order to facilitate the implementation of this provision, as well as to generally support trust service providers in the introduction of best security practices, ENISA has been working on 2013 on a series of studies on the topics of risk assessment, security requirements and incident management for trust service providers issuing electronic certificates, as well as the security aspects of the new trust services foreseen in the proposed Regulation.
ENISA aims to validate the results of its studies with stakeholders, and for this purpose we have planned both a workshop and a survey on the topic of security aspects of trust services. The objective of the workshop is not just to present and discuss the results of ENISA studies, but also to promote an open exchange of ideas among the different stakeholders involved in the trust services sector.
The workshop has been structured to achieve the following targets:
- To present the studies conducted by ENISA on the topics on security of trust services: risk assessment guidelines, security measures, trust breaches and security aspects of the new trust services defined in the Regulation.
- To validate the results of the studies with participants’ feedback. We have selected a format for the sessions to contribute to open discussion.
- To facilitate the dialog among the different stakeholders of the trust service sector: providers (for any type of trust services), regulators, supervisors, independent forums, etc.