aboutsummaryrefslogtreecommitdiff
path: root/en_GB/Introduction to Information Security
diff options
context:
space:
mode:
authorLeonard Kugis <leonard@kug.is>2020-03-09 18:22:46 +0100
committerLeonard Kugis <leonard@kug.is>2020-03-09 18:22:46 +0100
commit93bcbc79afb52cfa189ef5ee86804d8bb19fb645 (patch)
tree8cc03244760d804cc9d2eb2df232fd051b00b524 /en_GB/Introduction to Information Security
parent1e3ca9ff919d9705f47739247ed9c245e8e82d1a (diff)
IntroSec
Added information from Trust chapter.
Diffstat (limited to 'en_GB/Introduction to Information Security')
-rw-r--r--en_GB/Introduction to Information Security/introduction_to_information_security.md52
1 files changed, 51 insertions, 1 deletions
diff --git a/en_GB/Introduction to Information Security/introduction_to_information_security.md b/en_GB/Introduction to Information Security/introduction_to_information_security.md
index f8e5f93..5df6055 100644
--- a/en_GB/Introduction to Information Security/introduction_to_information_security.md
+++ b/en_GB/Introduction to Information Security/introduction_to_information_security.md
@@ -384,6 +384,53 @@ Infrastructure providing the service of public key distribution.
Medium. CA checks same as *DV* + company identity checked by third parties.
- Extended Validation SSL Certificate (EV cert)
Expensive. CA checks same as *OV* + official record matching.
+
+### Electronic Signatures
+
+*Digital Signatures* are signatures created by a public / private key pair and built upon mathematical evidence.
+However, there is no court accepting this as a "signature" in a classic sense.
+*Electronic Signatures* are binding documents with legal persons. So entering a name in some document count as electronic signature.
+This provides no integrity checks or mathematical validation.
+
+#### eIDAS
+
+With EU Regulation # 940/2014 (eIDAS), *Electronic Seals* come into place. They are issued by legal persons and provide integrity service.
+A seal from a representative might also be accepted.
+Also, *Trust Services* have been introduced. They provide approved procedures to convey a high level of trust.
+They are identified by the EU trust mark. Trust services provide a "Beweisumkehr" to them, if something goes wrong.
+*Advanced Electronic Signatures* are electronic signatures with mathematical evidence, de facto implemented with *digital signatures*.
+*Qualified Electronic Signatures* are electronic signatures created by a *qualified electronic signature creation device*.
+
+#### Identity Proofing and Verification
+
+| Proof level | Meaning |
+| --- | --- |
+| Low | Person *can be assumed* to possess this identity evidence of the member state in some form. |
+| Substantial | Person *has been verified* to possess the identity it claims by the member state. |
+| High | Person *has been verified* to be in possession of photo or biometric evidence. |
+
+#### Registration Authorities
+
+One has to have the possession of a certificate for the "Signaturgesetz".
+
+1. *Registration Authority* checks the identity of that person.
+2. *Certificate Authority* generates the certificate.
+
+*X.509* provedes certificate revocation lists for revoked certificates.
+This has to be handled online by *OCSP* servers. This may lead to high traffic.
+
+#### eID Public Key Infrastructure
+
+- *Document Signer* (DS)
+- *Country Signing Certificate Authority* (CSCA): Issues certificates for signers.
+- *Country Verifying Certificate Authority* (CVCA): Issues certificates to verifiers.
+
+#### Verification Procedure
+
+1. Digital signature binds document to public key.
+2. Certificate binds public key to name.
+3. Procedures at CA check correspondence between name and person.
+4. Operational procedures check that the person is holding the private key.
## Cryptocurrencies
@@ -435,7 +482,7 @@ Privacy is based on the *Universal Declaration of Human Rights*. No one shall be
Member states shall protect the rights guaranteed in the *Universal Declaration of Human Rights*.
But member states shall also not restrict the free flow of data between states.
-Tese *directives* are not *laws*. It is up to the states to implements the *directives* how they like.
+These *directives* are not *laws*. It is up to the states to implements the *directives* how they like.
#### Terminology
@@ -456,6 +503,9 @@ Tese *directives* are not *laws*. It is up to the states to implements the *dire
### EU General Data Protection Regulation (GDPR)
+Compared to *directives*, *regulations* are directly implemented as laws to the courts,
+independent of the member state culture.
+
- Penalties: 4% of annual global turnover.
- Request consent in a more accessible form (explainations to the DAU)
- Breach notification