PKI and Digital Signatures Update

PKI and Digital Signatures Update

Benefit from a technology finally becoming mature (PKI: from Please Kill It to Promote and Keep It)

28 June 2006 (14-21)
Location: Sofitel Diegem (Diegem near Brussels (Belgium))
Presented in English
Price: 540 EUR (excl. 21% VAT)

This event is history, please check out the List of Upcoming Seminars, or send us an email

Check out our related in-house workshops:

 Learning Objectives

Why do we organize this seminar ?

Although PKI and related technologies have been around for a long time, there was a clear reluctance from the market to use them. Among others, the image of complexity/cost that hung around PKI (need for procedures, hyper-secure infrastructure, integration in applications, etc) fed this reluctance. But also and mainly, there were no real business needs for PKI and related technologies. At that time, the market was rather seeking (low-cost) simplification in business through a shift from paper to the electronic world and where applicable (low-cost) solutions for security-enhancements (mainly in the field of strong authentication).

However, a few years ago, there was no legal framework around dematerialisation. Now that laws on e-commerce, electronic signatures, ... exist, there are no barriers anymore for dematerialisation. And very rapidly, one can see that behind dematerialisation, PKI is becoming unavoidable... because dematerialisation relies on the functional features provided by PKI, i.e., e-signature, strong authentication, encryption.

Also, evolution and some regulations (like SOX) raised the bar with relation to security-enhancements and controls. Some controls are no longer enough. Shortcomings may lead to potential liabilities. Some business-scenarios are even too risky if proper security is not embedded. So also here there is a growing need for the functional features provided by PKI, i.e., e-signature, strong authentication, encryption.

At the same time, there is an emergence in the market of low(er)-cost reliable tools/solutions (and embedding of related functions in every-day ICT-solutions/platforms). Also, we see the advent of national electronic Identity (eID) cards in Europe which raises awareness and possibilities. This, joint to the fact that the need for dematerialisation is today becoming so high and the related potential ROI's are so clear today, makes PKI boom today.

Currently the most important questions do not relate to whether or not it should be used but on how to correctly and cost-effectively implement and use it (i.e. with legal compliance, with the accurate level of security, with a sufficient level of interoperability with third parties, on which buildings blocks to rely, within which budget, …) while benefiting from current implementations such as national eID's. All these questions will be treated during the seminar and highlighted with recent use cases.

This seminar is presented by Erik R. van Zuuren and Cristof Fleurus of Ascure NV, and by Sylvie Lacroix and Olivier Delos of SEALED, who are working together in multiple PKI projects within government and private industry.

Questions answered during this seminar:

This seminar answers many questions on how to correctly implement PKI and related technologies today:

  • with legal compliance,
  • with the accurate level of security,
  • with a certain level of interoperability with third parties,
  • while guaranteeing trust to end-users,
  • with reliable buildings blocks,
  • within which budget,
  • while benefiting from current implementations such as eID's

Also links will be made with public initiatives like the Belgian eID-initiative:

  • How to reconcile citizen-based eID schemes and business needs in business-oriented processes ?
  • How eID can save you money, while avoiding a bad implementation which can ruin your efforts !

All these questions and topics will be treated during the seminar and highlighted with recent use-cases.

Who should attend this seminar ?

This seminar will be useful for anyone needing to have a practical update from a business- or security-perspective on the PKI- and related technologies, including eID schemes, as well as the regulatory framework for supporting electronic signatures, strong authentication schemas and/or encryption. Functionally speaking these persons can be:

  • business managers, eGov-managers, B2B/B2C-project leaders
  • legal persons / auditors looking for an update in this field
  • architects and technical staff wanting to get a status update and overview

 Full Programme

13.30h - 14.00h
Registration, coffee/tea and croissants
14.00h - 14.50h
Basics (PKI finally unleashed)
- Erik R. van Zuuren and Cristof Fleurus (Ascure)

PKI is becoming an important part (maybe even cornerstone) of any ICT-/eBusiness-infrastructure. It supports important functionality. No supporting infrastructure can be well designed if one does not know the expected functionalities (and their criticality / security requirements). This especially is true for PKI's. Some examples:

  1. PKI can be used to issue so-called certificates (i.e., the "digital passports") to authenticate a user before allowing access. The coinciding security requirements depend on the value of information behind it.
  2. PKI can be used to issue so-called certificates to sign documents for authenticity and integrity reasons or for formal contractual reasons. The coinciding security requirements depend on required proof-of-authenticity and potentially required level of liability.
  3. PKI can be used to issue so-called certificates to encrypt confidential information (either at communications- or at data-level). The coinciding security requirements depend on the value of information behind it.

So, design of a good PKI (and its environment - see below) depends on its usage. In this chapter we will give an overview of how and where PKI can be used and fly over the most important components/parts of a PKI-enabled infrastructure. This chapter will be illustrated with some PKI implementation examples among which the Belgian eID PKI.

14.50h - 15.40h
Legal and Standards
- Sylvie Lacroix and Olivier Delos (SEALED)

From the legal and regulatory side, there are no more legal barriers nowadays to use PKI. In particular, we have in Europe more than 5 years of e-signature practices, since the Member States implementation of the European Directive 1999/93/EC on electronic signature framework and the provisioning of underlying certification services. On the technical side, we will see that there are numerous standards guiding PKI implementations aiming to provide a technical framework to reach some interoperability between PKI-based applications.

However, we are still facing some discrepancies between technical and legal point of views leading sometimes to strange practical implementations, even when relying on the eID scheme. This section shall explain how to reconcile technical and legal perspectives provided correct implementations are in place.

15.40h - 16.00h
Coffee/Tea and Refreshments
16.00h - 16.50h
PKI-enabled Architectures
- Erik R. van Zuuren and Cristof Fleurus (Ascure)

In this session, we will treat several aspects of a PKI-enabled infrastructure and give you an important amount of useful information:

  • How to set up a corporate CA-structure?
  • How to handle (external) trusts?
  • Integration of eID's?
  • How to handle registration/suspension/revocation?
  • How to integrate and manage (S)SCDs?
  • How to integrate into IDM-environments?
  • What about key-vaults and key-recovery?
  • How to integrate with windows-environments?
  • What about potential X-sourcing?
16.50h - 17.40h
PKI and Digital Signature Best Practices
- Sylvie Lacroix and Olivier Delos (SEALED)

As it remains very difficult to map available standards to a particular business context, there is a clear need for guidelines to provide trusted PKI-based services and to develop, implement and deploy trustful PKI supported applications.

This chapter shall present the four domains to be taken into account in order to reach best practices for the implementation of PKI based services or supported applications: the legal & regulatory environment, the policies framework (based on the coinciding RFC's and best practices), the design guidelines and the specific technology aspects. This four domain principle shall be illustrated by the DIS-Institute initiative around trustful implementation of Belgian eID supported applications.

In particular, this section will also aim to give a good understanding of Certificate Practices Statement and Certificates Policies, and other more application-oriented policies such as Signature and Authentication Policies.

17.40h - 19.00h
Dinner
19.00h - 19.50h
PKI-Application and technologies
- Erik R. van Zuuren and Cristof Fleurus (Ascure)

PKI only gets to its real potential when it is being effectively used. Therefore this chapter shall provide an overview of immediately available or soon to become available technology (and how it works) you can use to support your business or improve your security:

  • Strong Authentication for eBusiness, eGovernment
  • Strong Authentication-options within Windows-environments
  • Document-Signing Solutions within the market-place
  • Getting Form-Signing into production
  • Data Protection-Solutions available now
19.50h - 20.40h
Available applications
- Sylvie Lacroix and Olivier Delos (SEALED)

This section of the seminar shall be devoted to the description of current PKI supported applications or services while detailing several interesting case-studies with a clearly identified ROI:

  • Ministry of Flemish Government (G2C, G2G)
  • eID implementation at the Flemish Water Company VMW - Vlaamse WaterMaatschappij (G/B2C)
  • eTrienal project from the Walloon Region (G2G)
20.40h - 21.00h
Final Q & A
21.00h
End of this seminar

 Speakers


Erik van Zuuren (Deloitte Enterprise Risk Services)
Erik van Zuuren

ir. Erik R. van Zuuren MBA is Senior Manager at Deloitte Enterprise Risk Services and has an extensive experience in Information Security Governance and Risk Management related disciplines, both at strategic and tactical level and has an extensive experience at C-level in the private sector and management- / cabinet-level in the public sector.

ir. Erik R. van Zuuren MBA is active as consultant since over 10 years and since participated in and led a broad range of strategic and tactical projects mostly in Belgium and The Netherlands. Some examples of his experience are:

  • extensive experience in governments (Belgian Federal and Flemish) and related agencies and wide experience in a diverse spectrum of private industry (financial/insurance/industry/energy/...).
  • one of the fathers/authors of the blueprint for the Belgian Personal Identity Card Project (BelPIC) and e.g. program manager for the Flemish government’s identity and access management platform.
  • assistant to several CIO/CTO/CISO’s and coach in several Information- and ICT- Security projects (incl. strategic level, tactical level, architectural angle, organisational/procedural angle, ...)
  • creator of security strategies, policies, frameworks and architectures for medium/large organisations, multinationals and government agencies
  • creator of e-business- and e-government enabling Identity and Access Control Management as well as Public Key Infrastructure blueprints, concepts and architectures
  • co-organiser/chairman/speaker/moderator at several security- and ICT-related events (CSI US, L-SEC, esec2001-esec2004, I.T. Works, ...)

ir. Sylvie Lacroix and ir. Olivier Delos (Sealed)
ir. Sylvie Lacroix and ir. Olivier Delos Sealed

From a technical background in microelectronics, telecom, information security, cryptography, and PKI topics, Ir. Sylvie Lacroix and Ir. Olivier Delos (CISSP) both acquired, through various major projects, significant experience in business representation and exploitation of these techniques. Mainly through the complete set-up of the Belgacom (and then Certipost) E-Trust Services (Trusted Third Party services such as electronic identity certification & Time Stamping services) and the implementation of major projects in e-Security within Belgium and Europe.

Until recently they were heading the E-Trust Solutions department within Certipost, managing some of the most important projects related to the e-Security in Belgium and their practical implementations such as:

  • The Belgian electronic identity card (eID),
  • ID certification services for the European Commission, Belgian Notaries, Accountants, Revisors, etc.,
  • e-Bidding services,
  • Electronic registered mail,
  • Securing e-invoicing services.

Now, through SEALED, they position themselves as architects of e-Solutions and e-Security services. “Architect” in the full sense as this covers not only the analysis and design part of the e-Solutions fitting to particular business needs but also the organisation, management and follow-up of the realisation of such solutions, either through the writing of RFPs or the selection of the most appropriate solutions builders.

Cristof Fleurus (Ascure NV)

Cristof FleurusCristof Fleurus has worked in the PKI and Trusted Services profession for a number of years and has large experience in designing and implementing PKI architectures. He is currently employed by Ascure as Information Security Consultant. In his current function as Consultant, Cristof is responsible for analyzing, designing and implementing PKI architectures and applications for clients. Besides PKI and Trusted Services, Cristof also consults on application and web application security. He has experience in a number of business and industry sectors including: Banking, Government, Social Security, Energy Services, and the Information and Telecommunication (ICT) sector.

Questions about this ? Interested but you can't attend ? Send us an email !

-->