IDABC - Bridge/Gateway Certification Authority (BGCA)

Contact

Who 's Who

Search on EUROPA


	The Programme

	Projects

	Your Europe

	eProcurement

	eGovernment Practice

	Open Source Observatory

	Interoperability

	eSignature

	Resources

	IDABC Events

	Public consultations

Bridge/Gateway Certification Authority (BGCA)

Now that EU public administrations increasingly use electronic certificates to support secure e-mail and electronic signature, there is a parallel need to establish trust relations between the certification services providers used by national public administrations. This is to allow civil servants in the Member States that participate in IDABC networks to use the electronic certificates issued by their national certification authorities in IDABC’s pan-European administrative networks. Hence, a BGCA could provide the necessary degree of trust and confidence required to allow the Member States’ public administrations to use their electronic certificates in both national and pan-European secure e-mail exchange and for electronic signature.

Last update: 07/2007

What is BGCA?
Objectives
How does it work?
Achievements
Who benefits?
The role of IDABC
Technical information
Documentation

What is BGCA?

At present, civil servants in national public administrations that participate in IDABC networks must use electronic certificates from the IDABC PKI for security of communications, encryption and electronic signature.

There are two main reasons for this. The first is due to interoperability problems. The second is that there is no way, at present, for trust to be established in an electronic certificate from a certification authority other than one's own. The traditional PKI model assumes that this would be solved by 'cross-certification' and mutual recognition, but, by and large, these have not occurred.

For national public administrations to use electronic certificates, issued by their national CAs (i.e. the CAs contracted to provide certification services to their national public administrations) in IDABC networks or in trans-European (i.e. cross-border) communications with other Member States' administrations, a mechanism must be found whereby trust and confidence can be established between these CAs. Such a mechanism is a 'bridge' or 'gateway CA'. IDABC was charged, at the request of the Member States, to carry out a study, (an action of the 2001 work programme) to examine the feasibility of establishing a bridge or gateway CA to act as an intermediate trust infrastructure between the PKIs of Europe's national public administrations.

Top of page

Objectives

The basic issues of the mutual recognition and the establishment of trust between the CAs of Europe's public administrations have yet to be adequately addressed. If achieved there would be two main benefits. First, civil servants could use their nationally-issued electronic certificates in pan-European administrative networks, and also for secure communications and electronic signature with other public administrations in Europe. Secondly, it would support the establishment of pan-European interactive services open to enterprises and citizens that possess electronic certificates issued by the CAs of other national administrations.

The overall objective of the action is to take the results from the feasibility study, and, with the participation of the Member States, to examine fully the implications of a bridge CA and carry out an interoperability pilot.

Top of page

How does it work?

The feasibility study examined the policy, organisational and technical issues for the establishment of an intermediate trust infrastructure between the CAs used by the Member States' public administrations. It addressed the main policy issues, the equivalence of certificate policies, provided model technical architectures (e.g. web trust model, bridge model, etc.), discussed the organisation and governance of the bridge CA, and the requirements for interoperability. To achieve this, meetings were conducted with voluntary Member States that have already set up certification services for their national public administrations or are well advanced in their planning in this area.

These first results suggested how the work of achieving interoperable PKIs should be carried forward. Based on these, a detailed trust model was proposed for a BGCA pilot.

Top of page

Achievements

In July 2002 IDA produced the feasibility study 'A bridge CA for Europe's public administrations '. The report examined the feasibility of establishing an intermediate trust infrastructure.

One of the recommendations of the feasibility study was that trust relationships could be established by the distribution of CTLs (certificate trust lists) electronically signed by a bridge CA and that a pilot should be carried out to provide a proof of concept of the bridge CA and methods of working as proposed in the feasibility study.

It must be emphasised that the bridge CA would in no way cross-certify, authenticate or otherwise control or authorise the certification authorities of the Member States' public administrations. It would simply act as a gateway between the national CAs. However, there are certain organisational and administrative issues that will need to be agreed among the Member States before any kind of physical bridge CA could be implemented. These include agreement on a common authentication policy, certificate policy, some kind of memorandum of understanding on acceptance of electronic certificates signed by other Member States' certification authorities and communicated to the Member States administrations by the bridge CA.

These items are addressed in the 2004 action of establishing a Pilot for the BGCA and deriving some recommendations on technical, operational and procedural aspects. A first interim report, providing initial recommendations on trust list usage was produced in 2003. The report on trust list usage was finalised in 2004, together with the architecture and the test programme of the BGCA Pilot.

The IDABC BGCA Pilot was launched in January 2005, and the prepared test programme was carried out. The results of the BGCA Pilot and the final recommendations for an operational BGCA were finalised in October 2005.

As a follow-up of these recommendations a measure called "Operational Bridge / Gateway Certification Authority (BGCA)" was included in the revised version of the IDABC Work Programme (see fact sheet : http://ec.europa.eu/idabc/en/document/6487/5938 ). The goal of this measure is to validate the achieved results with a real-case application, and to solve the remaining legal and organisational issues identified through the BGCA Pilot Project.

Top of page

Who benefits?

Public Administrations: They will be the main users/beneficiaries of an IDA BGCA. They will be able to use electronic certificates issued by their national CAs for authentication of identity and for the secure exchange of information at the pan-European level.

Top of page

The role of IDABC

The BGCA is one of the security actions developed by IDABC.

Top of page

Key Data

Project start date	2002
Project completion date	2004
IDA budget	2001 € 90,000 2002 € 70,000 2004 € 240,000
Responsible service	DG Enterprise and Industry - IDABC Unit
Project coordinator	Gzim Ocakoglu
Contact	idabc@ec.europa.eu
Countries involved	All EU Member States

Top of page

Documentation on BGCA

Back to:

Other Horizontal Actions and Measures