CEN TR 419010-2017 Framework for standardization of signatures - Extended structure including electronic identification and authentication.pdf

1、Framework for standardization of signatures - Extended structure including electronic identification and authentication PD CEN/TR 419010:2017BSI Standards PublicationWB11885_BSI_StandardCovs_2013_AW.indd 1 15/05/2013 15:06TECHNICAL REPORT RAPPORT TECHNIQUE TECHNISCHER BERICHT CEN/TR 419010 May 2017

2、ICS 35.030; 35.240.30 English Version Framework for standardization of signatures - Extended structure including electronic identification and authentication Cadre pour la normalisation des signatures - Structure tendue incluant lidentification et lauthentification lectronique Rahmen fr die Normung

3、von Signaturen - Erweiterte Struktur einschlielich elektronischer Identifizierung und Authentifizierung This Technical Report was approved by CEN on 17 April 2017. It has been drawn up by the Technical Committee CEN/TC 224. CEN members are the national standards bodies of Austria, Belgium, Bulgaria,

4、 Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland,

5、 Turkey and United Kingdom. EUROPEAN COMMITTEE FOR STANDARDIZATION COMIT EUROPEN DE NORMALISATION EUROPISCHES KOMITEE FR NORMUNG CEN-CENELEC Management Centre: Avenue Marnix 17, B-1000 Brussels 2017 CEN All rights of exploitation in any form and by any means reserved worldwide for CEN national Membe

6、rs. Ref. No. CEN/TR 419010:2017 ENational forewordThis Published Document is the UK implementation of CEN/TR 419010:2017.The UK participation in its preparation was entrusted to Technical Committee IST/17, Cards and personal identification.A list of organizations represented on this committee can be

7、 obtained on request to its secretary.This publication does not purport to include all the necessary provisions of a contract. Users are responsible for its correct application. The British Standards Institution 2017 Published by BSI Standards Limited 2017ISBN 978 0 580 96260 8ICS 35.240.30; 35.030C

8、ompliance with a British Standard cannot confer immunity from legal obligations.This Published Document was published under the authority of the Standards Policy and Strategy Committee on 31 July 2017.Amendments/corrigenda issued since publicationDate Text affectedPUBLISHED DOCUMENTPD CEN/TR 419010:

9、2017TECHNICAL REPORT RAPPORT TECHNIQUE TECHNISCHER BERICHT CEN/TR 419010 May 2017 ICS 35.030; 35.240.30 English Version Framework for standardization of signatures - Extended structure including electronic identification and authentication Cadre pour la normalisation des signatures - Structure tendu

10、e incluant lidentification et lauthentification lectronique Rahmen fr die Normung von Signaturen - Erweiterte Struktur einschlielich elektronischer Identifizierung und Authentifizierung This Technical Report was approved by CEN on 17 April 2017. It has been drawn up by the Technical Committee CEN/TC

11、 224. CEN members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway,

12、Poland, Portugal, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and United Kingdom. EUROPEAN COMMITTEE FOR STANDARDIZATION COMIT EUROPEN DE NORMALISATION EUROPISCHES KOMITEE FR NORMUNG CEN-CENELEC Management Centre: Avenue Marnix 17, B-1000 Brussels 2017 CEN All rights of e

13、xploitation in any form and by any means reserved worldwide for CEN national Members. Ref. No. CEN/TR 419010:2017 EPD CEN/TR 419010:2017CEN/TR 419010:2017 (E) 2 Contents Page European foreword . 3 Introduction 4 1 Scope 5 2 Terms and definitions . 5 3 Symbols and abbreviations . 6 4 Overview of the

14、eID landscape in official documents 7 4.1 Overview of CIR 2015/1502 7 4.2 Overview of CIR 2015/1501 8 4.3 Overview of Interoperability Framework 8 5 Impact on standards currently Identified in the ETSI/CEN framework for standardization of signatures . 8 5.1 General 8 5.2 Impact on standards in area

15、1 9 5.3 Impact on standards in area 2 9 5.4 Impact on standards in area 3 . 10 5.5 Impact on standards in area 4 . 11 5.6 Impact on standards in area 5 . 11 5.7 Impact on standards in area 6 . 11 6 Further standardization support for national eID . 11 6.1 General . 11 6.2 Policy Requirements for Ide

16、ntity Provider related services . 11 6.3 Devices . 12 Bibliography . 13 PD CEN/TR 419010:2017CEN/TR 419010:2017 (E) 3 European foreword This document (CEN/TR 419010:2017) has been prepared by Technical Committee CEN/TC 224 “Personal identification and related personal devices with secure element, sy

17、stems, operations and privacy in a multi sectorial environment”, the secretariat of which is held by AFNOR. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. CEN and/or CENELEC shall not be held responsible for identifying any or al

18、l such patent rights. This document has been prepared under a mandate given to CEN by the European Commission and the European Free Trade Association. PD CEN/TR 419010:2017CEN/TR 419010:2017 (E) 4 Introduction The Digital Agenda for Europe mentions in Pillar I (Digital Single Market) the Action 8 (R

19、evision of the eSignature Directive), and this includes mutual recognition of electronic identification. The first phase of Standardization Mandate M/460 27, issued by the Commission to CEN, CENELEC and ETSI for updating the existing eSignature standardization deliverables, produced a rationalized f

20、ramework to be the entry point for electronic signature standardization and overcome the complexity of standardization landscape within the context of the Signature Directive 1999/93/EC 26, taking into account possible revisions to this Directive, and proposes a future work programme to address any

21、elements identified as missing in this rationalized framework. To take into account the needs for electronic identification and authentication, identified as a gap from the ETSI/CEN framework for standardization of signatures ETSI/TR 119 000 23, it was decided to study the standardization landscape

22、around electronic identification and authentication as distinct from electronic signatures, identifying gaps and needs for standardization. The Commission adopted the Regulation (EU) 910/2014 27 on electronic identification and trust services for electronic transactions in the internal market on 23r

23、d July 2014, to provide a legal framework which includes consistent and coherent provisions on electronic identification and trust services in order to overcome the deficiencies of the eSignatures Directive 1999/93/EC 26 and to provide legal measures on cross-border mutual recognition and acceptance

24、 of national eIDs. The Commission published CIR 2015/1502 30 on assurance levels for electronic identification means and CIR 2015/1501 29 on interoperability framework to help the development of interoperable identity schemes across MS. The eIDAS Expert Group has published a set of technical specifi

25、cations 31 for the eIDAS interoperability framework, including a document of architecture and a document of cryptographic requirements, to complement the CIR 2015/1501 29. This is considered to address the interoperability requirements for use of eIDs across Europe. This document analyses the impact

26、 of these two CIRs firstly on the already published standards identified in the ETSI/CEN framework for standardization of signatures ETSI/TR 119 000 23 and secondly on potential requirements for further standards for harmonizing national approaches to identification and authentication as a new area

27、in the ETSI/CEN framework for standardization of signatures ETSI/TR 119 000 23. PD CEN/TR 419010:2017CEN/TR 419010:2017 (E) 5 1 Scope The regulation on electronic identification and trusted eServices (eIDAS regulation) clearly extends the current Electronic Signature Directive from electronic signat

28、ure towards electronic identification and electronic authentication. These two topics are closely linked to electronic signature and are considered in this context in this document. There are many documents, standards, industrial initiatives and European projects on identification and authentication

29、 but the scope here is limited to electronic signature context, and wider to electronic transactions in the internal market. The present Technical Report is twofold. It firstly does a brief analysis of the implementing acts on electronic identities CIR 2015/1501 29 and CIR 2015/1502 30 and how this

30、 is addressed by the eID interoperability framework 31. It secondly establishes what areas of existing standards are impacted by the eID framework and what further areas of standardization could assist nations in providing eID services. 2 Terms and definitions For the purposes of this document, the

31、following terms and definitions apply. NOTE Reg stands for the eIDAS Regulation 28, ISO for ISO/IEC 29115 40 and CIR for CIR 2015/1501 29 or CIR 2015/1502 30). Refer also to ETSI/TR 119 001 24. 2.1 Authentication (ISO) verification that an entity is the claimed one 2.2 Authentication (Reg) electroni

32、c process that enables the electronic identification of a natural or legal person, or the origin and integrity of data in electronic form to be confirmed 2.3 Authentication factor (ISO) piece of information and/or process used to authenticate or verify the identity of an entity Note 1 to entry: Auth

33、entication factors are divided into four categories: something an entity has (e.g. device signature, passport, hardware device containing a credential, private key); something an entity knows (e.g. password, PIN); something an entity is (e.g. biometric characteristic); or something an entity typical

34、ly does (e.g. behaviour pattern). 2.4 Authentication factor (CIR) factor confirmed as being bound to a person, which falls into any of the following categories: possession-based authentication factor means an authentication factor where the subject is required to demonstrate possession of it; PD CEN

35、/TR 419010:2017CEN/TR 419010:2017 (E) 6 knowledge-based authentication factor means an authentication factor where the subject is required to demonstrate knowledge of it; inherent authentication factor means an authentication factor that is based on a physical attribute of a natural person, and of w

36、hich the subject is required to demonstrate that they have that physical attribute 2.5 Identity (ISO) set of attributes related to an entity Note 1 to entry: Within a particular context, an identity can have one or more identifiers to allow an entity to be uniquely recognized within that context. 2.

37、6 Electronic identification (Reg) process of using person identification data in electronic form uniquely representing either a natural or legal person, or a natural person representing a legal person 2.7 Node (CIR) connection point which is part of the electronic identification interoperability arc

38、hitecture and is involved in cross-border authentication of persons and which has the capability to recognize and process or forward transmissions to other nodes by enabling the national electronic identification infrastructure of one MS to interface with national electronic identification infrastru

39、ctures of other MSs 2.8 Node Operator (CIR) entity responsible for ensuring that the node performs correctly and reliably its functions as a connection point 2.9 Level of eID assurance (Reg) degree of confidence in electronic identification means in establishing the identity of a person, thus provid

40、ing assurance that the person claiming a particular identity is in fact the person to which that identity was assigned Note 1 to entry: The regulation defines three levels: low, substantial and high; these are detailed in CIR 2015/1502 30. 2.10 Signatory (Reg) natural person who creates an electroni

41、c signature 3 Symbols and abbreviations For the purpose of this document, the following abbreviations apply. CC Common Criteria CIR Commission Implementing Regulation eSENS Electronic Simple European Networked Services IAS Identification, Authentication, Signature PD CEN/TR 419010:2017CEN/TR 419010:

42、2017 (E) 7 ICC Integrated Circuit Card IdP Identity Provider MAC Message Authentication Code MNO Mobile Network Operator MRED Machine-Readable Electronic Documents MS Member State NIST National Institute of Standards and Technology PIN Personal Identification Number PP Protection Profile QAA Quality

43、 of Authentication Assurance (STORK) QSCD Qualified Signature/Seal Creation Device RA Registration Authority RF Rationalized Framework RP Relying Party SAD Signature Activation Data SAML Security Assertion Markup Language SAP Signature Activation Protocol SCA Signature-Creation Application SE Secure

44、 Element SIM Subscriber Identity Module SP Service Provider SSCD Secure Signature Creation Device STORK Secure identiTy acrOss boRders linKed TLS Transport Layer Security TR Technical Report TS Technical Specification TSP Trust Service Provider TSCM Trustworthy Signature Creation Module TTP Trusted

45、Third Party 4 Overview of the eID landscape in official documents 4.1 Overview of CIR 2015/1502 CIR 2015/1502 30 describes technical specifications and procedures for the three assurance levels of the Regulation (low, substantial and high) for electronic identification means issued by a MS having no

46、tified its electronic identification scheme. The document details requirements for: enrolment (application, registration, identity proofing and verification), PD CEN/TR 419010:2017CEN/TR 419010:2017 (E) 8 electronic identification means management (characteristics, design, issuance, delivery, activa

47、tion, suspension, revocation, reactivation, renewal and replacement), authentication (using dynamic authentication at level substantial), and management and organization (including compliance and audit). The international standard ISO/IEC 29115 40 and the European project STORK (and its QAA levels)

48、have been taken into account. It is suggested to apply ISO/IEC 27000 38 and ISO/IEC 20000 37 series principles and methodologies for information security and service. 4.2 Overview of CIR 2015/1501 CIR 2015/1501 29 describes technical and operational requirements of the interoperability framework to

49、ensure interoperability of notified identification schemes within MS. It introduces nodes (and nodes operators, see Clause 2 on definitions) as being central for the interconnection of MS electronic identification schemes. It describes the minimum data set for identifying a natural or legal person. It binds this with CIR 2015/1502 30 and provides requirements for data privacy (no personal data storage at nodes), confidentiality and integrity (of the data exchanged between nodes). The d