Requirements for the use of encryption and digital signatures
advertisement
Principal requirements for the use of encryption and digital signatures in the European energy sector Current status and options for market participants Status: Version/release: Revision: Date: Request for comments 0.3 none February 15, 2016 Use of encryption and digital signatures in the European energy sector 2 CONTENTS 0 MANAGEMENT SUMMARY .................................................................................................... 4 0.1 0.2 1 BACKGROUND ......................................................................................................................... 4 KEY RECOMMENDATIONS ........................................................................................................ 4 INTRODUCTION ......................................................................................................................... 6 1.1 1.2 1.3 1.4 1.5 2 ABOUT THIS DOCUMENT .......................................................................................................... 6 SCOPE OF PROJECT ................................................................................................................... 6 PARTICIPANTS IN THE PROJECT ............................................................................................... 6 REFERENCES ............................................................................................................................ 7 CHANGE LOG ........................................................................................................................... 7 BACKGROUND............................................................................................................................ 8 2.1 MARKET DRIVERS .................................................................................................................... 8 2.1.1 General market features .................................................................................................. 8 2.1.2 Pressure on participants ................................................................................................. 8 2.2 EDI RELEVANT TRANSACTIONS AND THEIR REQUIREMENTS IN TERMS OF SECURITY............. 9 2.2.1 Invoices/credit notes and accompanying information ..................................................... 9 2.2.2 Customer master data ..................................................................................................... 9 2.3 TRADERS.................................................................................................................................. 9 2.4 POLITICAL FRAMEWORK ........................................................................................................ 10 3 THE LEGAL FRAMEWORK IN CONTEXT ......................................................................... 11 3.1 GLOBAL SITUATION ............................................................................................................... 11 3.2 EXAMPLE APPLICATION OF EUROPEAN DIRECTIVES – THE LEGAL SITUATION IN GERMANY 12 3.2.1 Status of legal documents .............................................................................................. 12 3.2.2 Principles concerning access to and verifiability of digital documents and consequences within archiving processes ..................................................................................... 13 3.2.3 Consequences from the Act amending taxation on company turnover.......................... 14 4 TECHNICAL STANDARDIZATION ...................................................................................... 15 4.1 DIGITAL SIGNATURES AND EDIFACT .................................................................................. 15 4.1.1 Progress of decision–making by the EDIFACT standardization bodies ....................... 15 4.1.2 Discussed alternatives for implementation into EDIFACT ........................................... 15 4.2 DIGITAL SIGNATURES AND XML .......................................................................................... 16 4.3 DIGITAL SIGNATURE AND E-MAIL ......................................................................................... 17 4.4 INTEROPERABILITY OF DIGITAL SIGNATURES........................................................................ 17 4.4.1 ISIS-MTT standard ........................................................................................................ 17 4.5 VALIDATION OF DIGITAL SIGNATURES ACROSS ASSOCIATION BOUNDARIES ........................ 18 5 PRACTICAL APPLICATIONS ................................................................................................ 20 5.1 5.2 5.3 6 GENERAL REQUIREMENTS ON THE USE OF DIGITAL SIGNATURES ......................................... 20 APPROACH IN EDIFACT INVOICES (EDIFACT-IMMANENT SIGNATURE) ............................ 20 TIME STAMP SERVICE ............................................................................................................ 21 IMPLEMENTATION AND BEST PRACTICE RECOMMENDATIONS .......................... 22 REALIZATION OF SECURITY IN THE ENERGY INDUSTRY’S ELECTRONIC LEGAL RELATIONSHIPS AND BUSINESS TRANSACTIONS ................................................................................ 22 6.2 GENERAL PROCESS FOR SETTING UP PUBLIC KEY INFRASTRUCTURES .................................. 23 6.1 6.2.1 Possible process for the definition of business transactions/applications for which certificates are to be used .............................................................................................................. 23 6.2.2 Registration process ...................................................................................................... 24 7 ebIX OUTLOOK .................................................................................................................................. 25 May 16, 2006 Use of encryption and digital signatures in the European energy sector ebIX 3 May 16, 2006 Use of encryption and digital signatures in the European energy sector 4 0 MANAGEMENT SUMMARY This document is the first in a series of publications from the ebIX project “DigSig” regarding the use of encryption and digital signatures within the European energy sector. It examines especially the legal, organizational and technical aspects which need to be taken into consideration for the introduction of digital signatures within the sector. Particular emphasis was laid on a broad perspective going beyond company boundaries. It is of crucial importance to pursue the introduction of electronic handling (instead of paper and manual signatures) in business relationships – digital signatures are a means of providing verifiability to electronic data interchanges. 0.1 Background The energy branch as a whole is facing this next important automation step that should be implemented multilaterally, whenever possible. Pioneer work is not required to this end; other branches like the automobile industry have shown that automation can be realized at a reasonable expenditure. The liberalized energy market has created new challenges in terms of logistics, in particular with regard to mutual billing. Rapidly organizing electronic handling of this process will generate large synergies for all market participants. According to a study of the EU Commission, companies can rely on cost savings of up to 72 % through pure electronic invoicing with digital signature. In legal terms, electronic invoicing without accompanying paper documents has, for example, been possible in Germany since 1st January 2002; when verified with a so-called qualified digital signature, the electronic transaction is recognized as a voucher for income tax deduction. Thus, the ground has been prepared for exploiting a considerable rationalization potential. As a result of the development of markets, on the one hand, and of the possibilities of information technology, on the other hand, market participants agree that secure electronic transmission of additional market data (such as metered values, schedules and customer data) is important. A modern, secure Business Partner Network needs to be established which organizes Electronic Data Interchange (EDI) between market participants, and which ensures conformity with the law, interoperability, efficiency and liability. This system, if it is to be successful, must be based on mutual confidence and uniform rules and procedures in terms of IT security which also guarantee minimum complexity and thus maximum economic efficiency. This can be achieved through the use of digital signatures and encryption in communication processes. The necessary contractual elements can be laid down in interchange agreements governing electronic business transactions. The necessary technology has been available in the market for a long time and quick access is possible by means of secured e-mail technology. In order to define equal security criteria within the area of confidence going across association boundaries, and to optimally support companies with regard to implementation, it is advisable in economic terms to define a common security policy (PKI-Policy – Public Key Infrastructure Policy) at market interfaces. 0.2 Key recommendations The authors recommend that market participants make certificates with public keys for encryption or for validation of signatures available (criterion of publication); communication partners encrypt data in online transactions and provide advanced or qualified signatures (criterion of application); ebIX May 16, 2006 Use of encryption and digital signatures in the European energy sector 5 communication partners use and accept digital signatures and source identifiers for verification of legal liability, integrity, and authenticity (criterion of acceptance); e-mails are generated in a verifiable manner with a source identifier for ensuring integrity and authenticity, and encoding them on the basis of standard procedures for the ensuring confidentiality; documents are interchanged in accordance with the accepted formatted message types (using EDIFACT, XML) (criterion of document compatibility); all EDI message required for electronic invoicing with income tax deduction (and all declarations of a legal nature) are signed with a qualified signature (with supplier accreditation, where this is a legal requirement); all other EDI messages are signed with at least an advanced signature; Web-based online transaction services are authenticated and encoded by the respective servers in an application-oriented manner; rules and regulations required for interoperability and defined and made available to all market participants; model solutions be developed allowing market participants to purchase the required functionality (BUY) or implement it themselves (MAKE) in an economically and technically simple manner. ebIX May 16, 2006 Use of encryption and digital signatures in the European energy sector 6 1 INTRODUCTION 1.1 About this document Within the European energy sector, electronic data interchange (EDI) using a variety of methods has become a core business enabler over the last few years. It is no longer possible to imagine how liberalised energy markets would function without EDI; rapid and automatic interchange and processing of business transactions, as far as possible without human intervention, is organisationally and economically necessary for all participants at all levels. Whether the transactions contain metering data, invoices, customer switching information or schedules: automation brings benefits through process optimisation. Nevertheless, there are further, fundamental considerations – political, organisational and technical – to bear in mind, which influence implementation. Core processes with a high-volume character require supporting processes within the organisation. Securing EDI transactions is one such supporting process, especially in connection with transparency and integrity of the data involved. Just as a signature gives a piece of paper legal character – e. g. from an offer to a contract – EDI requires the same legal status for security and non-repudiation. To this end, it is essential that a secure business partner network be established, within which electronic business transactions for all participants are made possible. Therefore we need to promote an infrastructure which can be trusted both by larger corporations (with their own certification authorities) and smaller companies (who buy-in from service providers). This can only be guaranteed by verification and confidentiality mechanisms directly associated with the information exchanged. These mechanisms need to cover the whole range of the logical transactions consistently. This is necessary to be able to carry out transactions in the new deregulated market between market participants in a legally correct and unambiguous manner in terms of liability law, and not least in an inexpensive way under technical and organisational aspects. This document investigates the possibilities and limits of the use of digital signature and encryption at the information level within communication processes between market participants via Electronic Data Interchange (EDIFACT or XML), some of which are very extensive, where the development of a „Secure Business Partner Network“ comprising both the secure communication platform and secure business transactions is required. 1.2 Scope of project In the light of these requirements, a small project (“DigSig”) was established within the ebIX structure to generate appropriate documentation which can then be used as a basis for implementation scenarios on a national and/or international level. The intention is to describe the overall harmonisation requirements for the use of encryption and digital signatures for electronic transactions within the European energy sector; also being compatible with the following overall ebIX objectives: 1) Make recommendations of common procedures that facilitate the common open European energy market 2) Make common standards for secure data interchange that can automate the process to reduce the costs for the parties involved. 1.3 Participants in the project The project is based on documents produced within the German national group (under the able tutoring of Dr. Willi Kafitz, Siemens AG, Frankfurt) and has been coordinated for ebIX by Carl W. Major. The following participants provided intellectual and/or financial support to the project: ebIX May 16, 2006 Use of encryption and digital signatures in the European energy sector Country DE DE DK BE SE NL FI NO NO SE SE CH 1.4 Name Carl W. Major Dr. Konstantin Staschus Erik Hartwell Hugo Dekeyser Joachim Abrahmsén Lodewijk ter Haar Matti Vasara Per M. Breistein Ole Jacob Høyland Oscar Ludwigs Robert Lundin Rudolf Baumann 7 Company E.ON Netz VDN Energinet.dk Eandis Steria Tennet Fingrid Statkraft Statnett Svenska Kraftnät Steria ETRANS References [1] Original project proposal, see http://www.ebix.org/ 1.5 Ver. 0 0 0 0 0 ebIX Change log Rel. 1 1 1 2 3 Rev. none A B none none Date 2005-10-25 2005-11-17 2005-12-06 2006-02-28 2006-05-16 Changes Document generated Textual and structural corrections Further corrections Comments incorporated Publication as ebIX RFC May 16, 2006 Use of encryption and digital signatures in the European energy sector 8 2 BACKGROUND 2.1 2.1.1 Market drivers General market features To date, relatively few EU member states have completely opened up their electricity market. Where it has occurred, however, even though former “captive customers” in closed supply areas are now free to choose their electricity supplier, dependencies in the market and in electrical networks (which are partly attributable to pure physical connections), have not disappeared. Going far beyond these mutual dependencies (as compared for instance to the liberalized telecommunication market), the common requirements in the electricity market in terms of metering, scheduling, system services, spot market, balance settlement, customer switching and billing require close, authentic, binding and verifiable communication relationships. Such demands increase with the growing transparency in almost all market segments. Although the switching rate of domestic customers is today still around 3 percent (that of small commercial customers approx. 4 percent and that of industrial customers approx. 15 percent), the potential willingness to switch is estimated to be five times as high. This becomes more apparent following the conclusion of new (often more favourable) contracts with existing electricity suppliers, so-called "internal switching". In early 2002, the number of such agreements amounted in Germany to more than 25 percent for domestic customers and to more than 50 percent for industrial customers. The resulting requirements for supply and billing relationships between market participants increase in proportion to the requirements for verifiability and integrity of the data exchanged. These overall security requirements on the Business Partner Network need to be satisfied for the relevant EDI relationships in a practicable manner at reasonable cost. Early experience in other branches, such as financial management, has shown that the use of digital signatures is reasonable in economic, organisational and technical terms because the change of media for manual signatures can be avoided, and rationalization potential is exploitable for other paper-based processes. Consequently, there are many additional possibilities of streamlining business processes. Internal and external business processes and their supporting processes are obviously affected to a similar extent in the electricity sector because data exchange can be optimized both with other market participants and within corporate groups. Interdependencies between market participants are not trivial in this context. The most urgent business processes with immediate effects on financial operations need to be resolved first in keeping with three key criteria: legal conformity, interoperability and economic viability. Furthermore, the overall concept implemented needs to be upwardly compatible with as many economically-reasonable EDI business relationships as possible. 2.1.2 Pressure on participants The technical interdependencies of energy supply remain virtually unchanged. A consequence of deregulation however is new, more complex implementation processes. For example, apart from customer switching in the private sector, the need for additional expenditure as recently recorded can be attributed to billing of new customer groups, billing of network usage, invoices for provision of materials, etc. Thus, pressure for action has arisen in particular in the context of invoicing. The situation within the different energy utilities has become serious because the rising number of paper invoices cannot be economically handled with the existing invoicing capacity. Though the exchange of electronic documents (e. g. Excel) has helped in some areas in the short term, it is not the right instrument for efficiently handling transactions of this order of magnitude. ebIX May 16, 2006 Use of encryption and digital signatures in the European energy sector 9 Besides, confidence in the integrity (consistency, correctness) of electronic transactions is needed in order to achieve a higher acceptance of these procedures. Confidence in non-transparent procedures is lower than in verifiable, non-contestable procedures. In particular, it frequently happens that several entities are involved in the handling of billing data. Therefore, the data source, i.e. the sender, must ensure the integrity of data from the outset. The recipient must be able to authentically identify the data source/sender to ensure non-repudiation. 2.2 2.2.1 EDI relevant transactions and their requirements in terms of security Invoices/credit notes and accompanying information For a commercially-valid accounting transaction, all documents relevant to credit and debit entry need to be taken into consideration. In addition, eligibility of invoice data is of particular importance to the tax authorities where tax deduction on turnover. Example of German legislation: If solely electronic invoices and credit notes are to be exchanged without any accompanying (paper) documents, they are subject to the legal requirements according to Section 14 of the Income Tax Law that took effect from 1st January 2002: a qualified digital signature with provider accreditation according to the Digital Signature Act is required in Germany by law.1 From the viewpoint of tax authority auditors, invoices, remittance advices and metering data in electronic form all contain information relevant to accounting procedures; hence they are of legal relevance to invoices and credit notes. The invoice message type covers invoices and credit notes, remittance advices are payment notice messages which refer to the invoice in a payment transaction. The metered data messages represent the values of consumption to be invoiced. These last two message types constitute accompanying information to an invoice, having a document character according to generally accepted principles of accounting. Thus, these transactions are also to be signed digitally if only electronic exchange of invoices is desired in business-to-business relationships of market participants. EDI in the form of market interfaces thus organizes communication between market participants. Metered values are however often transmitted, prior to the electronic invoicing process, to the metered values database by internal or external network operators. As the transactions concerned are generally confidential and effectively have an equivalent monetary value, the authenticity of the source and the integrity of data have to be ensured. The technology used is based on public key infrastructures and asymmetric cryptography. 2.2.2 Customer master data Master data regarding customers, contracts and metering points which are transmitted through the appropriate message type are also sensitive data. Data with the appropriate classification needs to be safeguarded according to the specifications of data protection legislation. Negative examples from other branches show the possible consequences of irregularities. Reports of illicit access to data by hackers or insiders have already in many cases led to substantial damage to a company’s image. A drastic example is the case of a large German bank whose stock price slumped in 2001 by almost 10% for several days. In the medium term, such events frequently lead to calls to tighten up the legal situation or increasing controls through supervisory boards (financial services supervision). 2.3 1 Traders This reference legal situation is described in detail in Chapter 3.2.3. ebIX May 16, 2006 Use of encryption and digital signatures in the European energy sector 10 Traders assume a special role as market actors when trading in energy supply services. They purchase energy from their own or external power generators and associated companies or through the Power Exchanges, e. g. in Amsterdam, Leipzig and Oslo. Energy is sold to suppliers or network operators. Thus, the message types schedules metered data invoice payment advice all play an important role both in the internal and external relationship of any corporate group and should as a consequence be adequately secured. The contents and time-constraints of transactions need to be documented in legally binding terms. To this end, telephone transactions are frequently tape-recorded today so that the time is simultaneously documented. For all Energy Exchanges, electronic trading is increasing in importance. The Exchange market has developed into a virtual market place. Errors attributable to a change of media (paper, electronic, voice) and the resulting transactional errors can lead in many cases to considerable investigative expenditure which may cause substantial costs for a just a few financial transactions. The liability mechanisms discussed later in this paper can lead to improvements in this field. 2.4 Political framework In the example of energy supply companies in Germany, all participants are interested in maintaining the associations’ own guidelines and hence voluntary commitment to contribute to the successful organization of market interfaces. If they were no longer able to do so, laws and a regulatory authority would have to be established like in the communication branch to enforce the further deregulation of the market. The introduction of digital signatures is an important prerequisite for the implementation of binding business transactions between market participants. This contributes to minimizing potential conflicts – which are always counterproductive to the organizational aspects of a technically and economically networked sector, such the energy market. ebIX May 16, 2006 Use of encryption and digital signatures in the European energy sector 11 3 THE LEGAL FRAMEWORK IN CONTEXT 3.1 Global situation In nearly all Western countries, digital signatures are an accepted legal (though not yet universally implemented) method to ensure the authenticity of the sender and the integrity of transmitted information. Appropriate certification infrastructures (Public Key Infrastructures) are being increasingly established within trade and industry and in public administration. Internationally, three standardization authorities (CEN/CENELEC, ETSI and ISO/TEC JTCI) have given an important impulse to European digital signature standardization (see EESSI Steering Committee). In technical terms, the work was organized within the E-SIGN standardization bodies and other committees (such as for mathematical algorithms). In political terms, Article 9 of the EESSI Steering Committee had a decisive influence on the EU Directive. In Europe, this European Directive was adopted by the heads of states and governments in autumn 1999, and put into force in January 2000 meaning that it had to be implemented into national legislation by all participating states within 18 months. Subsequent harmonization has been pursued e. g. through the “SmartCards eEurope” initiative. On the basis of Finnish proposals, this committee also discussed a Europe-wide electronic identity card with digital signature. The USA has given the use of electronic identity cards a legal basis (21 CFR Part11 of the USA); one of the largest Public Key infrastructures worldwide is maintained by the Canadian government. However, the North American approach leaves the initiative rather to market participants. The initial approach of (continental) Europe – based on the EU Directive – led at the start to difficulties caused by evaluation requirements (organizational and technical) of the field of application surrounding qualified digital signatures and also due to legal requirements concerning regulation of liability. On the other hand, this facilitated the establishment of a secure legal foundation in the medium term, especially where manual and digital signatures co-exist legally and liability is guaranteed by certification service providers. Japan has since adopted large parts of the legal position of Germany, launching a 160 million Dollar project for national SmartCards with digital signatures that are also capable of storing applications of non-governmental organization at a later date (helping to minimize total costs and provide value added services). The financial sector is a further important driving force. The business-to-business approach is shown by Identrus where member banks can market certificates for digital signatures worldwide to corporate clients on the basis of extensive liability guarantees. The root certification authority („Root-CA“) is located in New York. The business-to-consumer influences, as in the case of banking cards or in pointof-sale transactions, are also important. The introduction of the Europay/Mastercard/Visa standard (EMV) for banking cards has been a driving factor in almost all Western countries. The current functions of magnetic strips are gradually being replaced globally by microchip technology. This gives rise to enormous savings in transaction costs, higher resistance to forgery and new value added services, like bonus systems, etc.2 2 In January 2005, about 80,000 cash machines and 350,000 POS terminals were switched over to these new technologies in Germany. ebIX May 16, 2006 Use of encryption and digital signatures in the European energy sector 12 This branch shows that the use of advanced digital signatures with a high security level in technical and liability terms can also be increasingly importance in the legal framework of business contracts (as in “General Standard Terms and Conditions”). Today, an inquiry for pension details can be addressed to the German Federal Insurance Office for salaried employees by means of a banking card and digital signature. 3.2 Example application of European directives – the legal situation in Germany In Germany, the European Directive was implemented into German legislation through the Digital Signature Act of 21 May 2001 and the Signature Ordinance of 20 October 2001. 3.2.1 Status of legal documents Changes to the form requirements in private law (which became effective as on 1 August 2001) now permit the electronic form of documentation (when verified with a digital signature) in many different legal areas of the German Civil Code. Thus, there exists a legal foundation within national legislation scope and security of liability within the European Community (NB. encryption is not subject to statutory provisions but is left exclusively to the discretion of communication partners. However, if document encryption is used for example for documents relevant under tax aspects, this will have an impact on data access for periodic tax examinations). The most important difference as compared to the paper form is the reversal of the burden of proof in the case of legal assessment of digital signatures on electronic texts as evidence in legal proceedings. The reasons for this are mainly consumer protection aspects. If today a party in a legal proceeding submits a (certified) document, the opposing party must prove the falseness of this document in case of doubt. But the legislator did not expect of the consumer as opposing party to be forced to prove the falseness of a digital signature to an authority or to a company. Additionally, areas have now been specified where manual signatures have been equated to qualified digital signatures (in Germany with provider accreditation for the certificate). It is also for the sake of consumer protection that e.g. a savings agreement with a building society can be signed electronically because explicit decision-making can be assumed for this declaration of intent. On the other hand, a consumer credit agreement which can also be concluded with a car dealer or furniture store must still be signed manually. These examples show the possibilities and limits of the use of digital signatures in business or in contacts with public authorities (B2C, A2C). However, digital signatures do not have any perceivable specific legal consequences within electronic business transactions via EDI processes (e. g, EDIFACT or XML). Nevertheless, only qualified digital signatures qualify within the public legal scope where they are defined as equal to manual signatures. Provider accreditation of the “trust center” by the German regulatory authority for electrical and gas supply, telecommunication and postal services (REGTP) thus guarantees liability without bilateral contractual relationships within the scope of customary general terms and conditions. Certificates are still expensive in general; they require specially authorized hardware and are restricted to natural persons. Within the scope of the legal framework governing formal requirements the legal written form (covered by signature and witnessed by a notary public) has been extended to include the electronic form. This requires in addition the name and a qualified digital signature. Some EDI transactions in the electricity industry represent declarations of intent in the framework of a bilateral contract/agreement on electrical supply within the meaning of the so-called voluntary written form (e. g. schedules) but unless a further intention is explicitly specified, transactions can be covered by advanced digital signatures. It can thus be concluded that the exchange of a declaration of supply and a declaration of acceptance, each with an (advanced) digital signature will suffice. ebIX May 16, 2006 Use of encryption and digital signatures in the European energy sector 13 In the general context, it has to be noted that electronic messages need to be handled now much more carefully than in the past. According to previous reasoning, electronic messages did not represent documents associated with business risks, but after the amendment of the German Civil Code the electronic form can now legally replace the written form. Thus, electronic documents and traditional business documents are equivalent. Nevertheless changing the information carrier does not change anything in the objective to make business relationships legally transparent. This, then, also leads to the necessity to provide information (at least in signed mails) equal to that required in business letters and on letterheads. At company level, digital signatures and encryption are not questioned as far as standard applications (e-mail, remote LAN access, etc.) are concerned. At the application level, however, there were only few reports about consistent implementation of „PKI-Enabling“. Indeed, a decision in this respect should be taken on a case-by-case basis under economic aspects. 3.2.2 Principles concerning access to and verifiability of digital documents and consequences within archiving processes On 1 January 2002, formal requirements concerning financial documentation of business activities were considerably eased. With the exception of the notes added to the balance sheet and the annual report, a company’s accounting can theoretically now be realized in a paperless form since this date. On the other hand, “immediate” (formerly “adequate”) access to the archived data relevant to taxation and to their processing systems is now required by the tax authority for periodic tax examinations. On the one hand, this gave rise to new rationalization potential in electronic data processing, and on the other hand, to further requirements if this rationalization potential is to be utilized, for instance, by the use of digital signatures. These requirements on verifiability and archiving have been laid down in a widely discussed regulation of the Federal Ministry of Finance3 (described in a paper of the Federal Ministry of Finance of 16 July 2001 - IV D 2 - S 0316 -136/01-). However neither preliminary processes resulting from purchase, production and sales nor supplementary processes like collective cost, clearing and final accounts/reporting proceedings are affected, but audit requirements concern exclusively financial accounting with its active accounts. For all documents that have to be preserved for a specific period, the principles of adequate and orderly accounting shall apply, whereby the possibility of subsequent modifications through the accounting system must be excluded from the beginning. The use of qualified digital signatures gives rise to new requirements concerning procedures and procedure documentations attributable to the requirements of the aforementioned regulations. Accordingly, the relevant verification keys have also to be archived in the case of electronically signed documents. Where cryptographic procedures are used, both the encrypted and the decrypted versions as well as the keys utilized need to be archived. For conversions into data formats which are not in current use, the two versions have to be archived together. Concerning documents that have to be preserved for a specific period, a record has to be made of their entry, further processing and archiving. This is all very complicated, but the history of information technology shows that this challenge can be coped with. The transition from microfilming to optical archiving was a similar step. As a consequence from the guidelines, large German companies decided already to make the ERP system (e.g. SAP) NOT accessible to financial authorities. Therefore, a working group was founded by the association of German SAP users aiming at defining a downstream SAP module with the working title: DART (DART = DATA RETENTION TOOL) with a view to avoiding complete transparency of internal cost center transactions. In this context, a compromise has to be sought between a decision Principles concerning data access and verifiability of digital documents (German abbreviation: GDPdU – „Grundsätze zum Datenzugriff und zur Prüfbarkeit digitaler Unterlagen“). 3 ebIX May 16, 2006 Use of encryption and digital signatures in the European energy sector 14 made by the tax court of the city of Münster on 28 August 2002 (“cost centers are relevant in terms of audits”) and complete transparency of internal and international transactions. DART provides a data extract with a high rate of compression (first figures: 1:25, meanwhile these figures have been somewhat normalized by SAP). Irrespective of these activities, archiving requirements have been increased with a view to paying attention to the requirements of GDPdU. The elaboration of a code of practice for data extraction, preservation and reproduction becomes indispensable to many companies. Goal is, on the one hand, to reduce the data (of finalized operations) in operative systems and, on the other hand, to archive (electronic) records required for a complete examination of facts. Not least in this context, legal and auditing requirements determine the requirements to be met by the technical and organizational framework for the use of digital signatures in companies. Until 31 December 2001, there were only two types of documents for long-term archiving: signed, paper documents electronic documents From 1 January 2002, GDPdU additionally prescribes archiving of signed electronic documents key generation & archiving in conjunction with signature validation mechanisms. For manual signatures, the identity and legitimacy of the signer has to be ensured in an audit-proof manner through signature regulation. The same applies now to digital signatures. It has become general practice for this purpose to use the “PKI Policy” or the “Certification Practice Statement” documents. It has to be emphasized that not the digital signature but the new legally admitted possibilities of handling digital signatures, and market pressure compel each company to deal with this subject-matter. The signature only serves to provide security for legal documents or accounting vouchers in their respective form. 3.2.3 Consequences from the Act amending taxation on company turnover The term “invoice” is defined in German legal terms (this definition is of particular economic importance to input tax deduction) as follows: “An invoice is any legal document through which an entrepreneur or a third party acting on his behalf accounts for a delivery or any other service to the account of the recipient of the performance”. In terms of turnover tax, invoice and credit note are to be handled virtually equally4. A second sentence was added to this paragraph which became effective on 1 January 2002: “An invoice is also a statement of account bearing a digital signature in accordance with the Digital Signature Act of 22 July 1997 (German Civil Code - BGBl. I 1879, 1872), as amended”. Pressure from industry made the financial committee of the German Bundestag discuss relaxations even before entry into force of the turnover tax amendment law. At European level, too, it was recognized that electronic business must not be excessively burdened. Therefore, the 6th ValueAdded-Tax Directive (77/388/EEC) was amended through Directive 2001/4/EC by a decision of the Ministers of Finance on 4 December 2001. The Directive was formally adopted by the member states and published on 17 January 2002. Though digital signatures (contrary to electronic invoices) are no longer explicitly mentioned in the EU Directive, an important aspect of this amendment is that it maintains strict security requirements, 4 Turnover Tax Law (German abbreviation: UStG – Umsatzsteuergesetz; section 14, paragraphs 4 and 5). ebIX May 16, 2006 Use of encryption and digital signatures in the European energy sector 15 which are imperative for standardized EDI transactions. This legal development shows, on the one hand, that free electronic business should be promoted; but on the other hand, digital signatures are used primarily in Germany as a means to curb value-added-tax evasion totalling an estimated amount of more than 10 billion € (with a high number of undisclosed cases). After implementation into German legislation on 1 January 2004, advanced digital signatures are sufficient in the case of EDI invoices eligible for input tax deduction without accompanying paper documents. In any case, 1. adequate procedures are required for security integrity and authenticity; 2. accompanying paper documents (turnover tax unit billing) can be required where digital signatures are missing. Hence, only the use of digital signatures enable invoices and other message formats to be exchanged in a paperless manner by the energy industry. 4 TECHNICAL STANDARDIZATION 4.1 Digital signatures and EDIFACT 4.1.1 Progress of decision–making by the EDIFACT standardization bodies At the project meeting of NBü-AA3 on 31 July 2001 at DIN in Berlin, the “Digital Signature Working Group 3.5” was founded (see NBü-AA3 No 85-2001). This Working Group was charged to set up one or several guides on the EDIFACT message AUTACK “security, authentication and confirmation message”. The basis for this work is the matrix established in June 2001 (see NBü-AA3 No 53-2001), finalized in the version 7/2002. 4.1.2 Discussed alternatives for implementation into EDIFACT designation Alternative 1 Two-Interchanges approach characteristics user data + AUTACK in separate transmission files user data: syntax V1-V2-V3V4 AUTACK: syntax V4 benefits Syntax version neutral (user data) hardly any changes of actual situation required (only additional AUTACK) clear-cut separation between user data and signatures drawbacks organizational expenditure to the recipient for uniting, checking, waiting (for other file) archiving difficult ebIX Alternative 2 One-Interchange V3/V4 approach framework: syntax V4 user data: syntax V4 used in a downwards compatible manner (in fact syntax V3) AUTACK integrated (syntax V4) user data: syntax version neutral user data framework: minimal syntax V4 (only 8digit date) hardly any changes of actual situation required (appended AUTACK) clear-cut separation between user data and signature simple archiving Alternative 3 Integrated Syntax V4 approach user data: syntax V4 embedded security segments of syntax V4 are utilized (header-/trailer concept) no utilization of AUTACK simple archiving dates and signatures readable/processable in a data current only feasible with syntax V4 complex processing at the recipient May 16, 2006 Use of encryption and digital signatures in the European energy sector 16 Meanwhile, an option was made on variants 1 and 2 (alternatively One-Interchange approach or TwoInterchange approach with syntax downward compatibility). This option was essentially refined during the session of DIN NBü 3.5 of 8/9 January 2002 to be adopted in 7/2002. The draft standard consisting of 2 parts has been available to the public for comments since as early as February 2002 under DIN 16560-15 and DIN 16560-16. In parallel with the AUTACK message type which governs digital signatures in EDIFACT by means of asymmetrical cryptography, attention was paid to the requirement of practicable key management for secure transmission of public keys. The KEYMAN service message type needed for this purpose was embedded in the framework of AUTACK application rules because key management can only be practised if it is safeguarded through integrity and authenticity information. It has thus to be treated like reference data, secured by AUTACK 4.2 Digital signatures and XML Mainly as a result of the advance of e-business (defined here as electronic business processes going beyond company borderlines) the XML data format standard has developed during the past few years into a widely-spread, de-facto standard. XML is a standard that is intentionally simple in technical terms (Syntax). Nevertheless, standardization needs to be pursued because branch-specific exchange formats must be built up (semantics). According to the PKCS#7 standard of the RSA Company, XML documents can also be signed electronically. However, this “PKCS#7 container” has certain drawbacks which contravene the benefits of XML. This applies generally to EDI immanent procedures as opposed to PKCS#7 which allow more favourable support processes in economic terms. Therefore, at the beginning of 2001 the draft RFC 3075 (XML signature syntax and processing) was adopted in the XML world (XML-DSig); it does not exhibit the aforementioned drawbacks and eliminates in addition the deficits of the PKCS#7 signature (e.g. possibility to sign parts of a document). Since early February 2002, and hence after a remarkably short period, it has also become a proposed standard of IETF. XML encryption is also a subject-matter of intensive standardization activities. However, stable standards have backlog of about 1 year as compared to XML-DSig. XML signatures are available in 3 different variants that can be combined with each other: enveloped signatures enveloping signatures detached signatures At the generic level, the following can be said about these terms: - Enveloped signatures Require dedicated application or document design. Hence, they are 'only' suited to data objects to be generated in future. - Enveloping signatures Particularly suited to messaging services or services allowing for one-time validation. Can 'wrap' existing data objects; thus, they can be relevant to migration scenarios. Consequently, it is suited to already existing data objects, which are however transformed. - Detached signatures Particularly suited to security add-ons to existing data objects which cannot or should not be modified (or wrapped); example: authenticated SW distribution. Within the existing context of branch requirements, types 1 and 3 are particularly interesting. Type 1 can make use of new features of XML signatures, like the signature over parts of the message where ebIX May 16, 2006 Use of encryption and digital signatures in the European energy sector 17 for instance no legal responsibility is to be assumed for part of the message to be forwarded, which is thus not to be signed (again). However, type 1 revolves in a pure XML-imminent environment which still needs to be established in terms of applications. Type 3 may become interesting when data and signature can or must be separated. Unchangeable data like metered values can be forwarded together with a clearly defined link to the signature (Unified Resource Identifier, URI). Easy readability of XML documents is not affected by the XML-DSig signature standard, and is beneficial e.g. in full text retrieval. The introduction of XML and XML-DSig is in particular reasonable if different distribution channels (e.g. Web and WAP) support different formats (“Stylesheets”) in a business transaction. Though pure XML implementations have existed sparsely to date in established EDI structures, the majority of analysts believe that this is the technology of the future. Therefore, new implementations should be based on a strategic decision on whether XML can be used as EDI format. 4.3 Digital signature and e-mail The S/MIME format can be considered today as an accepted standard worldwide. Other standards for securing e-mail like PEM and PGP are declining in importance. However, one should be aware of certain restrictions. With S/MIME the signer is identical with the sender. Therefore, S/MIME does not support multiple signatures as they are for instance required in business letters or in other ranges of application with multiple responsibilities. And with S/MIME, the text and attachments are packed up in a “sealed” container. Archiving and retrieval incl. full text search is thus more time-consuming than signature and encryption at data level. In Germany, implementations based on the S/MIME standard were subjected to a large-scale interoperability and practice test within the scope of the SPHINX project. To prepare the wide-spread introduction of these safety measures, the German Federal Administration, the coordination and advisory bureau of the Federal Ministry of the Interior in cooperation with the Federal Office for Security in Information Technology, carried out the SPHINX pilot test on “end-to-end-security for electronic document exchange”. The pilot test consisted of several phases. Phase 1 started on 1 April 1998 and was terminated on 30 September 1998. Phase 2 started on 1 October 1998 and continued SPHINX until 1 March 1999. The following objectives were pursued by SPHINX: testing of functionality and interoperability of security solutions of different providers, gaining experience in terms of user acceptance and assessment of the personal, financial and organizational expenditure to the authorities concerned. The German Bundestag, numerous German Federal Ministries and authoritative institutions of the German Länder and different companies have participated in SPHINX. More than 30 organizations were represented. PCs of approx. 400 participants in the pilot test were equipped with software which enables messages to be encrypted and decrypted, and digital signatures to be signed and verified. Part of the users applied chip cards where the private (secrete) key was stored. These workstations were additionally equipped with a chip card reader. The hardware and software used were produced by eight different firms. These technology providers all passed the relevant interoperability tests: The interoperability criteria obtained through this type of practical test for encrypted and signed emails should also serve as an example for e-mail exchange between industry participants. 4.4 4.4.1 Interoperability of digital signatures ISIS-MTT standard Compatibility or interoperability between providers of qualified certificates does not yet exist per se. This applies as well even to accredited providers of certification services according to the German ebIX May 16, 2006 Use of encryption and digital signatures in the European energy sector 18 Digital Signature Act. Two committee standards and a proposal of the German Federal Ministry for Security in Information Technology (BSI) are available which are overlapping to a large extent. MTT (MailTrusT V 2.1) of TeleTrust e.V. from the SPHINX project. ISIS interoperability standard of the T7 Trustcenter working group of (Industrial Signature Interoperability Specification V.1.1), and SigI, a specifiation proposal of BSI The Trustcenter association T7 has meanwhile agreed with TeleTrusT on a common standard (ISISMTT). However, full interoperability has not quite been achieved. The project is actively supported by the “Fraunhoferinstitut für Sichere Telekooperation” and promoted by the German Federal Ministry of Finance. The reason for the specification of ISIS-MTT is the large variety of possible interpretations of a certificate that needs to be evaluated in terms of data processing according to the X.509 standard (Version 3). Therefore, a practicable development basis must be provided to trust centers and clientsoftware producers. Simultaneously, a text suitable for tendering procedures must be available to professional users. A label/quality mark is being developed with a view to increasing product acceptance. 4.5 Validation of digital signatures across association boundaries The validation of the signature’s authenticity and the data’s integrity by the mechanisms of digital signature through the signer’s public key and the comparison of hash values is of decisive importance to the complete scenario and needs to be manageable in technical and organizational terms for further e-mail applications. The validation of signatures is a requirement concerning interoperability; but its practicability is of decisive importance for success in practice. Therefore, in Germany, the Digital Signature Act and the underlying DIN-standard define a relatively simple hierarchical structure which comprises of only two stages. And here is why: Unconditional confidence must be placed in the Root Certification Authority which rests with the appropriate regulatory authority as far as qualified signatures with provider accreditation are concerned. Its private key undersigns the public keys of accredited certification service providers (“trust centers”). With their private keys, the latter undersign the public keys of the signature key holders after proper registration of the user and after unequivocal identification by means of personal documents (e.g. identity card/passport) and make these certificates available to the public; thus, they guarantee the correctness as defined by the liability provisions of the Digital Signature directives. Validation means the prompt verification of this certification chain with regard to unrestricted consistency. There is therefore no doubt that this strictly hierarchical validation chain of only two stages offers certain advantages. However, these certificates are today (still) expensive and bound to natural persons. Qualified certificates do not comply with the requirements on server certificates for client/server authentication, encryption certificates with their requirements on recovery mechanisms, certificates for crypto hardware, certificates for legal persons, certificates needed for meters, etc. Advanced certificates which can be generated, for instance, in companies’ PKIs are recommended for these purposes. These signatures are often referred to as not complying with the Digital Signature Act, which is not quite correct. These signatures were also defined in the Digital Signature Act, but they were not put on a level with manual signatures. If advanced signatures are also used by market participants (which is advisable), it is necessary to organize the „confidential relationships“ that can be automatically validated among business partners. ebIX May 16, 2006 Use of encryption and digital signatures in the European energy sector 19 A cross certification must be provided for the extreme case that every employee/operation participant be able to trust every employee/operation participant of the corresponding partner company. In case of lower requirements, it is possible to safely exchange only root certificates of partner companies, and to operate “black lists” (certificate revocation lists, CRLs). In this case, the validation path is extended with the corresponding organizational and technical consequences. Moreover, this procedure needs to be moderated at the introduction stage, and administered in operation through a neutral trustworthy third party, or associated with undisputed criteria which have to be strictly observed by parties participating in the procedure. The latter procedure is a reasonable alternative with good chances of success in the energy sector because regulation needs which have been required to date could be adequately agreed. Nevertheless, prior to the commencement of operation, liability issues should be settled and determined in political terms within the scope of sectoral agreement. Depending on individual applications, a combination of advanced and qualified signatures will therefore exist in practice, which are validated on a consolidated data base (directory) by means of a standardized protocol (i.e. LDAP). External directory information is timely received from the partners in the case of advanced signatures, or from certification service providers in the case of qualified signatures (accredited “trust center”). ebIX May 16, 2006 Use of encryption and digital signatures in the European energy sector 20 5 PRACTICAL APPLICATIONS 5.1 General requirements on the use of digital signatures The use of digital signatures in the energy industry has far-reaching long-term effects of a technical and mainly organizational nature. The signature for metered data would be at the beginning of a series of sequences. It is economically reasonable to invest early in technologies with short key lengths. To this end, it may be advisable in future to use algorithms operating with the mathematics of elliptic curves. Even though public key infrastructures using common RSA algorithms with more than sixfold key length emerge today within associations, the compatibility of procedures must be ensured in the field of metrology and with regard to EDI market interfaces and internal procedures. 5.2 Approach in EDIFACT Invoices (EDIFACT-immanent signature) To be able to generate a digital signature after invoicing for presentation to the local tax office for input tax deduction, the following organizational structure may be used as a basis: Individual invoices and the collective invoice list are generated in the ERP or accounting system and released for transmission to the EDI partner5. These released basic files (individual invoices and collective invoice list) are transferred to the EDI system. The EDI system is equipped with a security module (to be defined in a later document). The security module checks the basic file and generates a hash value of the basic file. The hash value is signed with the private key of the sender (releaser)6. The signed hash value is generated into an AUTACK message type. This AUTACK is attached to the original basic file (INVOIC01+INVOIC02+INVOIC03+…..+INVOICn). This gives rise to an EDIFACT transmission file with the following content: (INVOIC01+INVOIC02+INVOIC03+…..+INVOICn) + AUTACK The contents of the AUTACK thus generated can be described for instance in a guide which is an integral part of the PKI policy or which the policy is referring to. Remarks on the legal security of this solution: An audit for tax reasons or other grounds represents an audit of facts. There are no formal requirements upon the invoice format but only on signatures (qualified digital signatures, current status in Germany with voluntary provider accreditation) due to the new legal situation. The EU VAT Directive of 17 January 2002 set an additional legal framework. Its implementation into national legislation is instrumental. “Released” means an organizational step which needs to be set up in addition or which may result from the activation of automatic billing. 6 In this respect, the future legal situation will be of decisive importance. If signatures are applied that comply with the Digital Signature Act and are bound to the natural person, release will have to be explicitly established; alternatively, higher automation levels and assignment of the operation to the legal person may be possible. First experience gained with financial authorities show that a pragmatic approach is by all means possible. In any event, the decisive criterion is the overall context in which business transactions need to be inversely and progressively auditable. The progressive audit extends from bookkeeping record over the basic records to accounts and finally to the profit and loss account or self-assessment / tax return, respectively. The inverse audit is carried out vice versa. 5 ebIX May 16, 2006 Use of encryption and digital signatures in the European energy sector 21 So, the current legal situation permits the interpretation that individual invoices have to be signed electronically. Although this will probably not be necessary – even if the requirement for qualified digital signatures with provider accreditation and thus for full compatibility with the Digital Signature Act and natural person as signer – is maintained. Non-EDIFACT-immanent signatures are conceivable and unproblematic in legal and technical terms. They should be applied where files are signed (so-called PKCS#7 signatures). For signatures on the basis of EDIFACT, it is expedient to use the AUTACK message type. It saves an additional step of processing. 5.3 Time stamp service Some pecuniary or mandatory processes in business transactions between market participants are tied to specific times and may thus require urgent treatment. An example in this context is schedules. Therefore, it may be reasonable to receive confirmation of the time of a data transaction. An accredited time stamp service is based on the principle that it provides data (including signed data) with the legally valid time and signs them together with its private key (accredited by the appropriate regulatory authority). Subsequently, the data treated in this way are returned to the original sender. The rules in Germany for the time stamp service are laid down for example in Section 9 of the Signature Act; here, the time stamp on the hash value is sufficient. Though data generated thus is time limited in the past, the further transmission of data to the recipient is not recorded, i.e. that the time stamp service is not suited as sender evidence. Sender evidence is furnished only through forwarding of data by the certification office, i.e. the time stamp service. This is however not a mandate determined by law; respective rules have to be defined in individual business transactions. Hence, the time stamp is not like a mail stamp on a letter handed over at the post office counter. The sender gets the stamped “letter” back for forwarding it to the receiver! A possible organizational solution is to have a time stamp put on the recipient’s automated receipt. This is recommended e.g. in the e-government manual of the BSI (German Federal Office for IT Security) for time-critical operations carried out within the German Federal Administration. Absolute security is thus only given where the stamped delivery, analogous to a mail stamp, is accepted by a trustworthy third party. One solution on offer adds the previously time-stamped hash value in a given form to the document (e.g. invoice). To this end, the sender needs generating software (“write version”); the recipient is able to download a “read version” free of charge from the Internet and thus validate the time stamp. ebIX May 16, 2006 Use of encryption and digital signatures in the European energy sector 22 6 IMPLEMENTATION AND BEST PRACTICE RECOMMENDATIONS Realization of security in the energy industry’s electronic legal relationships and business transactions 6.1 No market participant can be compelled to apply digital signatures and encryption unless it is bound by law to do so, for instance in the case of electronic invoice transmission where an application was made for eligibility for input tax deduction. On the basis of a bilateral, multilateral or, ideally, sector-wide agreement, criteria should be determined in particular for signed electronic data exchange. Where these criteria are fulfilled by the concrete communication partner, market participants should undertake, also on the basis of a sectoral agreement, to use digital signatures and encryption, where necessary. However, also outside the statutory legal framework of qualified digital signatures with provider accreditation (according to the relevant legislation), this must lead to security of non-repudiation for all market participants receiving an (advanced) electronically signed transaction from another market participant. Most of the criteria for qualified signatures are defined by law. The following main criteria apply to advanced signatures (e.g. mutual acceptance of company PKI certificates): uniform security level of participants, as a matter of principle, easy public key accessibility also for advanced signatures, i.e. publication of a subset of directory information (generally on the Internet) for other market participants. The technical and above all the organizational security level should be defined by baseline IT Security specification, unless of course higher criteria are applicable. Current signature rules applied in different companies to comply with audit requirements, particularly in business transactions with other market participants, need to be introduced in technical and organizational terms into a PKI policy or a Certification Practice Statement as far as digital signatures are concerned. The observance of the security level provides the basis for a confidence model like the Public Key Infrastructure used across company boundaries. Information-bound, certificate-based encryption and simple validation of electronically signed data in terms of the sender authenticity and the data integrity assume that the public keys of communication partners, certified to be correct, are easily accessible and reliable with regard to their current validity. This guarantee is given for “qualified” certificates, i.e. for key material that was certified by an accredited certification service provider In the case of advanced signatures which, for instance, were certified in the framework of a company PKI, a publication or, where necessary, a prompt revocation of the public key must be ensured if the owner of the signature key participates in the market. Simple signatures, such as scanned signatures, have no importance. Vice versa, market participants accepting electronically signed messages from other market participants should undertake to accept digital signatures and sender identifications of their communication partners for verification of legal liability, integrity and authenticity, to the extent that they guarantee sufficient security in terms of the application (the “acceptance criterion”), if the document transmitted corresponds to the adopted market interfaces, e.g. EDIFACT, XML, etc. (the “document compatibility criterion”); to make their certificates available with public keys for encryption or for validation of signatures (the “publication criterion”); ebIX May 16, 2006 Use of encryption and digital signatures in the European energy sector 23 to encrypt the data of their communication partners in online transactions and to provide them as agreed with an advanced or qualified signature (the “criterion of voluntary commitment”). All EDI message components needed for electronic invoicing, and all declarations of intent with the character of a legal document require a qualified signature with provider accreditation. Other EDI types of messages between market participants must be signed at least with one advanced signature (example legal framework: General Standard Terms and Conditions, or Association’s agreement), but they can also bear a qualified signature (example legal framework: German Digital Signature Act). Informal valuable or binding declarations of intent, sent e.g. by e-mail, are signed and, where necessary, encrypted depending on the degree of confidentiality. Market players participating in the process shall ensure that they use in their function as communication partners an appropriate verification software for verifying liability on the basis of the two legal frameworks mentioned above, as well as the integrity of the message and the authenticity of the sender. 6.2 General process for setting up public key infrastructures Before discussing development steps, MAKE or BUY or even technical questions, it is advisable to answer some basic questions concerning functions and applications for which certificate-based process steps are necessary or rational. Applications should be segmented before determining the number of users within these segments. In most cases, a first and simple step is e-mail encryption and signature for selected workstations. More interesting in economic terms, however, are commercial applications for which certificate-based mechanisms may be practical. 6.2.1 Possible process for the definition of business transactions/applications for which certificates are to be used Examples: Business transactions/applications are e.g. the generation of electronic invoices in the context of Electronic Data Interchange, e.g. between members of VDEW other electronic declarations of intent with the character of a legal document (documents which may substantiate long-term claims) transferring signature rules in the e-procurement context (EDI-based, e.g. schedule, or Web-based, e.g. order for materials) transferring rules in the context of internal business processes which are to be authenticated on the basis of certificates (e.g. SAP HR, Human Resources) Secure mobile workstation (e.g. remote LAN access) encryption of files etc. Apart from legal requirements (concerning e.g. billing/electronic invoice), the possible litigation level or other risk management considerations should be of particular importance. Subsequently, certificate categories should be assigned to business transactions/applications (possibly with quantification). To this end, the question has to be asked where advanced signatures are sufficient and where qualified certificates (with provider accreditation) should or must be utilized. The external PKI service provider as standard for the PKI should be selected analogously to other outsourcing or out-tasking projects in the service sector, i.e. according to performance and service level agreement. ebIX May 16, 2006 Use of encryption and digital signatures in the European energy sector 24 Creation of a decision matrix for the assessment of tenders submitted by certification service providers is also useful here because some of the providers accredited today apply different philosophies with regard to corporate clients. This matrix facilitates assessment and documentation for the selection and recommendation of a service partner. 6.2.2 Registration process The registration process ensures an unambiguous association between certificate and staff member/user; thus, it substantially determines the PKI’s security level. The registration processes related to the certificate category and the processes associated with certificate management should be standardized internally unless they were determined by the external PKI service provider. Therefore, the start-up phase and the operational phase should be determined clearly in advance in the registration process, and implemented in accordance with audit requirements. For this reason, this process is usually connected to the issuance of a new employee identity card. A multifunctional identity card with contact chip or additionally with a non-contacting chip can address, apart from the key material’s certification, a large variety of other functions, such as computer access, admittance to buildings, payment in canteens, etc. As far as qualified certificates are concerned, detailed specifications are usually determined by the certification service provider. However, these specifications must always be synchronized with internal mechanisms, e.g. for identity and access management, and in particular with the following mechanisms: Conceptual design of the registration process for certificates which do not conform to the Digital Signature legislation. initial issue (new certificate/SmartCard, collective request), follow-up issue (new keys, previous SmartCard), issuance of replacement certificate/SmartCard (compressed), issuance of replacement certificate/SmartCard (not compressed), return of replacement certificate /SmartCard, withdrawal of certificate/SmartCard when leaving the company, blocking of certificate/SmartCard, description of the recertification process after expiry of certificates (User) The following proceduer is recommended with a view to successfully implementing standards for the introduction and utilization of the basic PKI: Selection of firm partners for the introduction and operation of the basic PKI and of certificatebased applications (preferred partner / products). Definition of the internal ordering process for PKI services/products (definition of packages, where possible). Definition of the functions of certificate purchase to limit “product variety”. If certificates are frequently used for communication with external business partners (e.g. through EDI) it is necessary to grant these firms access to the corporate directory or to make a subset of the corporate directory available in a repository (cf. above). To this end, a new definition of firewall rules may be required for access of partner firms to certificates in the corporate directory. ebIX May 16, 2006 Use of encryption and digital signatures in the European energy sector 25 7 OUTLOOK Information technology and thus, in legal terms, the electronic form of almost all documents will certainly extend in a growing number of areas of public life and business. This will also lead to an increase in importance of digital signatures, whether advanced in the legal framework of a closed user group, or qualified in the legal framework of a national signature law. This is the only way to ensure verifiability/non-deniability and integrity of electronic information in legal terms and hence in a noncontestable manner. Written signatures will have to be abandoned in any area where a change of media would impede further rationalization. Furthermore, more open networks (e.g. through wireless technology) will increasingly require encryption at the information level, i.e. of the document itself. At the network level, re-encryption is required, for physical reasons, prior to every change of the transmission medium. End-to-end security exists only at the information level. The authentication process in applications will be based to an increasing extent on certificates and less on passwords. For intelligent appliances and applications, digital signature will be the modern “seal” in data transmission: it will secure data integrity irrespective of the transmission path. The relevant technology is available now at reasonable costs. Certification service providers offer keys, reader hardware and software plug-ins for standard mail systems at relatively low entry-level cost so that small companies can also afford them. Manufacturers of EDI systems already have solutions available, and are working on their harmonization with the new legal possibilities and the requirements of data access and storage (cf. chapter 3.2.2). Much more important than technology is the acceptance and the correct handling of the change of paradigm associated with the digital signature as an alternative to the written signature. This is the actual challenge that has to be coped with in order to consistently utilize the possibilities of the electronic form, including digital signatures, for corporate development. Electronic business within the energy industry and with its partners constitutes a practical entry-level in this respect. ebIX May 16, 2006
