CEN TR 419030-2018 Rationalized structure for electronic signature standardization - Best practices for SMEs.pdf

1、BSI Standards PublicationWB11885_BSI_StandardCovs_2013_AW.indd 1 15/05/2013 15:06Rationalized structure for electronic signature standardization - Best practices for SMEsPD CEN/TR 419030:2018TECHNICAL REPORT RAPPORT TECHNIQUE TECHNISCHER BERICHT CEN/TR 419030 May 2018 ICS 35.030 English Version Rati

2、onalized structure for electronic signature standardization - Best practices for SMEs Cadre pour la normalisation de la signature lectronique - Meilleures pratiques pour les PME This Technical Report was approved by CEN on 9 March 2018. It has been drawn up by the Technical Committee CEN/TC 224. CEN

3、 members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, P

4、ortugal, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and United Kingdom. EUROPEAN COMMITTEE FOR STANDARDIZATION COMIT EUROPEN DE NORMALISATION EUROPISCHES KOMITEE FR NORMUNG CEN-CENELEC Management Centre: Rue de la Science 23, B-1040 Brussels 2018 CEN All rights of exploi

5、tation in any form and by any means reserved worldwide for CEN national Members. Ref. No. CEN/TR 419030:2018 ENational forewordThis Published Document is the UK implementation of CEN/TR 419030:2018.The UK participation in its preparation was entrusted to Technical Committee IST/17, Cards and securit

6、y devices for personal identification.A list of organizations represented on this committee can be obtained on request to its secretary.This publication does not purport to include all the necessary provisions of a contract. Users are responsible for its correct application. The British Standards In

7、stitution 2018 Published by BSI Standards Limited 2018ISBN 978 0 580 96807 5ICS 35.030Compliance with a British Standard cannot confer immunity from legal obligations.This Published Document was published under the authority of the Standards Policy and Strategy Committee on 31 May 2018.Amendments/co

8、rrigenda issued since publicationDate Text affectedPUBLISHED DOCUMENTPD CEN/TR 419030:2018TECHNICAL REPORT RAPPORT TECHNIQUE TECHNISCHER BERICHT CEN/TR 419030 May 2018 ICS 35.030 English Version Rationalized structure for electronic signature standardization - Best practices for SMEs Cadre pour la n

9、ormalisation de la signature lectronique - Meilleures pratiques pour les PME This Technical Report was approved by CEN on 9 March 2018. It has been drawn up by the Technical Committee CEN/TC 224. CEN members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Repu

10、blic, Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and United Kingdom.

11、EUROPEAN COMMITTEE FOR STANDARDIZATION COMIT EUROPEN DE NORMALISATION EUROPISCHES KOMITEE FR NORMUNG CEN-CENELEC Management Centre: Rue de la Science 23, B-1040 Brussels 2018 CEN All rights of exploitation in any form and by any means reserved worldwide for CEN national Members. Ref. No. CEN/TR 4190

12、30:2018 EPD CEN/TR 419030:2018CEN/TR 419030:2018 (E) 2 Contents Page European foreword . 3 Introduction 4 1 Scope 5 2 Terms and definitions . 5 3 Abbreviations . 7 4 Electronic seals as per EU Regulation 910/2014. 9 5 SMEs perspective . 10 5.1 Reasons for signing or sealing . 10 5.1.1 General . 10 5

13、.1.2 Electronic signing as a way to confirm a legal commitment or because of a legal requirement . 11 5.1.3 Electronic signing as a matter of diligence / risk management 12 5.1.4 Electronic seals as a way to comply with an explicit legal requirement to apply a seal, stamp or comparable formal requir

14、ement . 13 5.1.5 Electronic seals as a way to ensure the integrity and authenticity of a document . 13 5.2 Who signs or seals? 13 6 Solutions 14 6.1 General . 14 6.2 Signature creation . 14 6.2.1 General . 14 6.2.2 Remotely managed signature creation application and signature creation device 16 6.2.

15、3 Remotely managed signature creation device 17 6.2.4 Remotely managed signature creation 17 6.2.5 Signature creation application and signature creation device in the hand of the signatory 18 6.2.6 Responsibilities of parties 19 6.2.7 Level of security and assurance on the issued signatures 20 6.3 S

16、ignature validation 21 6.4 Signature preservation 21 7 Im a TSP? 22 8 Use-cases . 23 8.1 Use-cases where the SME is signing . 23 8.1.1 eInvoicing 23 8.1.2 eProcurement Directive 23 8.1.3 Accessing markets across the EU and the impact of the Services Directive . 24 8.2 Use-cases where the SME and the

17、 SMEs customers / partners are co-signing or co-sealing 25 9 Annex Digital signatures standardization 26 Bibliography . 30 PD CEN/TR 419030:2018CEN/TR 419030:2018 (E) 3 European foreword This document (CEN/TR 419030:2018) has been prepared by Technical Committee CEN/TC 224 “Personal identification a

18、nd related personal devices with secure element, systems, operations and privacy in a multi sectorial environment”, the secretariat of which is held by AFNOR. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. CEN shall not be held r

19、esponsible for identifying any or all such patent rights. PD CEN/TR 419030:2018CEN/TR 419030:2018 (E) 4 Introduction Today, it is possible to electronically sign data to achieve the same effects as when using a hand-written signature. Such electronic signatures benefit from full legal recognition du

20、e to the EU Regulation N 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market 1 (hereafter referred to as Regulation (EU) N 910/2014) which addresses various services that can be used to support diff

21、erent types of electronic transactions and electronic signatures in particular. The use of secure electronic signatures should help the development of online businesses and services in Europe. The European Commission standards initiative aims at answering immediate market needs by: securing online t

22、ransactions and services in Europe in many sectors: e-business, e-administration, e-banking, online games, e-services, online contract, etc.; contributing to a single digital market; creating the conditions for achieving the interoperability of electronic signatures at a European level. Besides the

23、legal framework, the technical framework at the present time is very mature. Citizens routinely sign data electronically by using cryptographic mechanisms such as, e.g. when they use a credit card or debit card to make a payment. Electronic signatures implemented by such cryptographic mechanisms are

24、 called “digital signatures”. Appropriate technical methods for digital signature creation, validation and preservation, as well as ancillary tools and services provided by trust service providers (TSPs), are specified in a series of document developed along with the present document. The present do

25、cument is part of a rationalized framework of standards (see ETSI TR 119 000 6) realized under the Standardization Mandate 460 issued by the European Commission to CEN, CENELEC and ETSI for updating the existing standardization deliverables. Further support is provided to the emerging cross-border u

26、se of eSignatures through other legal and policy instruments that affect electronic processes being used in the market today (e.g. eInvoicing Directive 3, Public Procurement Directive 4 and Services Directive 5). In this framework, CEN is in charge of issuing Guidelines for electronic signatures imp

27、lementation. These guidelines are provided through two documents: CEN/TR 419030, “Rationalized structure for electronic signature standardization - Best practices for SMEs”, aligned with standards developed under the Rationalised Framework as described by ETSI SR 001 604, and CEN/TR 419040, “Rationa

28、lized structure for electronic signature standardization - Guidelines for citizens”, explaining the concept and use of electronic signatures. The present document builds on CEN/TR 419040. These two documents differ slightly from the other documents in the Technical Framework since they go beyond the

29、 technical concept of “digital signature” and deal also with the legal concepts of electronic signatures and electronic seals. PD CEN/TR 419030:2018CEN/TR 419030:2018 (E) 5 1 Scope This Technical Report aims to be the entry point in relation to electronic signatures for any SME that is considering t

30、o dematerialize paper-based workflow(s) and seeks a sound legal and technical basis in order to integrate electronic signatures or electronic seals in this process. It is not intended to be a guide for SMEs active in the development of electronic signatures products and services - they should rather

31、 rely on the series ETSI EN 319 for building their offer - but it is a guide for SMEs CONSUMING e-Signature products and services. This document builds on CEN/TR 419040, “Guidelines for citizens”, explaining the concept and use of electronic signatures, to further help SMEs to understand the relevan

32、ce of using e-Signatures within their business processes. It guides SMEs in discovering the level of electronic Signatures which is appropriate for their needs, extends the work to specific use-case scenarios, paying special attention to technologies and solutions, and addresses other typical concre

33、te questions that SMEs need to answer before any making any decisions (such as the question of recognition of their e-Signature by third parties, within their sector, country or even internationally). Once the decision is taken to deploy electronic signatures or electronic seals in support of their

34、business, SMEs will then typically collaborate with their chosen providers of e electronic signatures or electronic seals products or services, which can be done on the basis of ETSI TR 119 100 “Guidance on the use of standards for signature creation and validation”, that helps enterprises fulfil th

35、eir business requirements. The present document presents the concepts and use of the standards relevant for SMEs developed under the Rationalised Framework to SMEs. 2 Terms and definitions For the purposes of this document, the following terms and definitions apply. ISO and IEC maintain terminologic

36、al databases for use in standardization at the following addresses: IEC Electropedia: available at http:/www.electropedia.org/ ISO Online browsing platform: available at http:/www.iso.org/obp 2.1 advanced electronic signature electronic signature which meets the requirements set out in Article 26 of

37、 Regulation (EU) N 910/2014 1 Note 1 to entry: Article 26: An advanced electronic signature shall meet the following requirements: (a) it is uniquely linked to the signatory; (b) it is capable of identifying the signatory; (c) it is created using electronic signature creation data that the signatory

38、 can, with a high level of confidence, use under his sole control; and (d) it is linked to the data signed therewith in such a way that any subsequent change in the data are detectable. SOURCE: Regulation (EU) N 910/2014 1, Article 3 (11) 2.2 electronic signature (from the regulation) data in electr

39、onic form which is attached to or logically associated with other data in electronic form and which is used by the signatory to sign PD CEN/TR 419030:2018CEN/TR 419030:2018 (E) 6 SOURCE: Regulation (EU) N 910/2014 1, Article 3 (10) 2.3 digital signature data appended to, or a cryptographic transform

40、ation (see cryptography) of a data unit that allows a recipient of the data unit to prove the source and integrity of the data unit and protect against forgery, e.g. by the recipient SOURCE: ISO/IEC 7498 / ITU-T/Recommendation X.800 i.x 2.4 trust service provider natural or legal person who provides

41、 one or more trust services either as a qualified or as a non-qualified trust service provider SOURCE: Regulation (EU) N 910/2014 1, Article 3 (19) 2.5 trust service electronic service normally provided for remuneration which consists of: (a) the creation, verification, and validation of electronic

42、signatures, electronic seals or electronic time stamps, electronic registered delivery services and certificates related to those services, or (b) the creation, verification and validation of certificates for website authentication; or (c) the preservation of electronic signatures, seals or certific

43、ates related to those services SOURCE: Regulation (EU) N 910/2014 1, Article 3 (16) 2.6 qualified trust service trust service that meets the applicable requirements laid down in this Regulation SOURCE: Regulation (EU) N 910/2014 1, Article 3 (17) 2.7 qualified trust service provider trust service pr

44、ovider who provides one or more qualified trust services and is granted the qualified status by the supervisory body SOURCE: Regulation (EU) N 910/2014 1, Article 3 (20) 2.8 signature creation device configured software or hardware used to create an electronic signature SOURCE: Regulation (EU) N 910

45、/2014 1, Article 3 (22) 2.9 qualified electronic signature advanced electronic signature that is created by a qualified electronic signature creation device, and which is based on a qualified certificate for electronic signatures SOURCE: Regulation (EU) N 910/2014 1, Article 3 (12) PD CEN/TR 419030:

46、2018CEN/TR 419030:2018 (E) 7 2.10 certificate for electronic signature electronic attestation which links electronic signature validation data to a natural person and confirms at least the name or the pseudonym of that person SOURCE: Regulation (EU) N 910/2014 1, Article 3 (14) 2.11 signatory natura

47、l person who creates an electronic signature SOURCE: Regulation (EU) N 910/2014 1 Article 3 (9) 2.12 certificate public key of a user, together with some other information, rendered un-forgeable by encipherment with the private key of the certification authority which issued it Note 1 to entry: The

48、term certificate is used for public key certificate within the present document. SOURCE: ISO/IEC 9594-8 / ITU-T Recommendation X.509 2.13 entity authentication means the corroboration of the claimed identity of an entity and a set of its observed attributes SOURCE: Modinis Study on Identity Manageme

49、nt in eGovernment Common terminological framework for interoperable electronic identity management, v2.01, November 23, 2005. 2.14 data authentication means the corroboration that the origin and the integrity of data are as claimed SOURCE: Modinis Study on Identity Management in eGovernment Common terminological framework for interoperable electronic identity management, v2.01, November 23, 2005. 2.15 data authentication data means data in electronic form which are attached to or