ImageVerifierCode 换一换
格式:PDF , 页数:13 ,大小:153.82KB ,
资源ID:735642      下载积分:10000 积分
快捷下载
登录下载
邮箱/手机:
温馨提示:
如需开发票,请勿充值!快捷下载时,用户名和密码都是您填写的邮箱或者手机号,方便查询和重复下载(系统自动生成)。
如填写123,账号就是123,密码也是123。
特别说明:
请自助下载,系统不会自动发送文件的哦; 如果您已付费,想二次下载,请登录后访问:我的下载记录
支付方式: 支付宝扫码支付 微信扫码支付   
注意:如需开发票,请勿充值!
验证码:   换一换

加入VIP,免费下载
 

温馨提示:由于个人手机设置不同,如果发现不能下载,请复制以下地址【http://www.mydoc123.com/d-735642.html】到电脑端继续下载(重复下载不扣费)。

已注册用户请登录:
账号:
密码:
验证码:   换一换
  忘记密码?
三方登录: 微信登录  

下载须知

1: 本站所有资源如无特殊说明,都需要本地电脑安装OFFICE2007和PDF阅读器。
2: 试题试卷类文档,如果标题没有明确说明有答案则都视为没有答案,请知晓。
3: 文件的所有权益归上传用户所有。
4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
5. 本站仅提供交流平台,并不能对任何下载内容负责。
6. 下载文件中如有侵权或不适当内容,请与我们联系,我们立即纠正。
7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。

版权提示 | 免责声明

本文(ETSI TR 102 040-2005 Electronic Signatures and Infrastructures (ESI) International Harmonization of Policy Requirements for CAs issuing Certificates (V1 3 1)《电子签名和基础结构(ESI) 对CAs签发证_1.pdf)为本站会员(王申宇)主动上传,麦多课文库仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对上载内容本身不做任何修改或编辑。 若此文所含内容侵犯了您的版权或隐私,请立即通知麦多课文库(发送邮件至master@mydoc123.com或直接QQ联系客服),我们立即给予删除!

ETSI TR 102 040-2005 Electronic Signatures and Infrastructures (ESI) International Harmonization of Policy Requirements for CAs issuing Certificates (V1 3 1)《电子签名和基础结构(ESI) 对CAs签发证_1.pdf

1、 ETSI TR 102 040 V1.3.1 (2005-03)Technical Report Electronic Signatures and Infrastructures (ESI);International Harmonizationof Policy Requirements for CAs issuing CertificatesETSI ETSI TR 102 040 V1.3.1 (2005-03) 2 Reference RTR/ESI-000027 Keywords e-commerce, electronic signature, public key, secu

2、rity, trust services ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but non lucratif enregistre la Sous-Prfecture de Grasse (06) N 7803/88 Important notice Individual copies of the p

3、resent document can be downloaded from: http:/www.etsi.org The present document may be made available in more than one electronic version or in print. In any case of existing or perceived difference in contents between such versions, the reference version is the Portable Document Format (PDF). In ca

4、se of dispute, the reference shall be the printing on ETSI printers of the PDF version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current status of this a

5、nd other ETSI documents is available at http:/portal.etsi.org/tb/status/status.asp If you find errors in the present document, please send your comment to one of the following services: http:/portal.etsi.org/chaircor/ETSI_support.asp Copyright Notification No part may be reproduced except as authori

6、zed by written permission. The copyright and the foregoing restriction extend to reproduction in all media. European Telecommunications Standards Institute 2005. All rights reserved. DECTTM, PLUGTESTSTM and UMTSTM are Trade Marks of ETSI registered for the benefit of its Members. TIPHONTMand the TIP

7、HON logo are Trade Marks currently being registered by ETSI for the benefit of its Members. 3GPPTM is a Trade Mark of ETSI registered for the benefit of its Members and of the 3GPP Organizational Partners. ETSI ETSI TR 102 040 V1.3.1 (2005-03) 3 Contents Intellectual Property Rights4 Foreword.4 1 Sc

8、ope 5 2 References 5 3 Definitions and abbreviations.6 3.1 Definitions6 3.2 Abbreviations .6 4 Objective 7 5 Relevant activities 7 5.1 Introduction 7 5.2 IETF PKIX policy and practices framework7 5.3 ABA PKI assessment guidelines 7 5.4 US Federal PKI 8 5.5 APEC TEL eSTG .8 5.6 ANSI X9.79 - PKI polic

9、y and practices framework.9 5.7 ISO TC68 - PKI policy and practices framework 9 5.8 OECD.9 6 Recommendations 9 Annex A: Letter from US on Mapping to US Federal PKI11 History 13 ETSI ETSI TR 102 040 V1.3.1 (2005-03) 4 Intellectual Property Rights IPRs essential or potentially essential to the present

10、 document may have been declared to ETSI. The information pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found in ETSI SR 000 314: “Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in respe

11、ct of ETSI standards“, which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web server (http:/webapp.etsi.org/IPR/home.asp). Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee can be given as to the

12、existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web server) which are, or may be, or may become, essential to the present document. Foreword This Technical Report (TR) has been produced by ETSI Technical Committee Electronic Signatures and Infrastructures (ESI).

13、 ETSI ETSI TR 102 040 V1.3.1 (2005-03) 5 1 Scope The present document presents the results of ongoing work to harmonize existing ETSI Technical Specification (TS) on policy requirements for certification authorities (TS 101 456 1 and TS 102 042 2) with other internationally recognized standards and

14、related activities. The aim of the present document is to identify the way forward to meet the requirements of European Electronic Signature Directive 1999/93/EC 6 whilst operating within an internationally harmonized certificate policy framework to facilitate cross recognition between PKI policy en

15、vironments. 2 References For the purposes of this Technical Report (TR) the following references apply: 1 ETSI TS 101 456: “Policy requirements for certification authorities issuing qualified certificates“. 2 ETSI TS 102 042: “Policy requirements for certification authorities issuing public key cert

16、ificates“. 3 IETF RFC 2527: “Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework“. NOTE: Obsoleted by RFC 3647 4. 4 IETF RFC 3647: “Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework“. NOTE: Obsoletes RFC 25

17、27 3. 5 ISO/IEC 14516: “Information technology - Security techniques - Guidelines for the use and management of Trusted Third Party services“. 6 Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures. 7 American Bar A

18、ssociation: “PKI Assessment Guidelines (PAG)“. 8 ANSI X9.79: “Financial Services Public Key Infrastructure (PKI) Policy and Practices Framework“. 9 ISO/DIS 21188: “Public key infrastructure for financial services - Practices and policy framework“. 10 CEN CWA 14172-1: “EESSI Conformity Assessment Gui

19、dance Part 1 - General“. 11 CEN CWA 14172-2: “EESSI Conformity Assessment Guidance - Part 2: Certification Authority services and processes“. 12 ITU-T Recommendation X.509 (2000) | ISO/IEC 9594-8 (2001): “Information technology - Open Systems Interconnection - The Directory: Public-key and attribute

20、 certificate frameworks“. 13 CEN CWA 14167-1: “Security Requirements for Trustworthy Systems Managing Certificates for Electronic Signatures - Part 1: System Security Requirements“. 14 ISO 15782-1: “Certificate management for financial services - Part 1: Public key certificates“. ETSI ETSI TR 102 04

21、0 V1.3.1 (2005-03) 6 3 Definitions and abbreviations 3.1 Definitions For the purposes of the present document, the following terms and definitions apply: certificate: public key of a user, together with some other information, rendered un-forgeable by encipherment with the private key of the certifi

22、cation authority which issued it NOTE: See ITU-T Recommendation X.509 | ISO/IEC 9594-8 12. certificate policy: named set of rules that indicates the applicability of a certificate to a particular community and/or class of application with common security requirements NOTE: See ITU-T Recommendation X

23、.509 | ISO/IEC 9594-8 12. certification authority: authority trusted by one or more users to create and assign certificates NOTE: See ITU-T Recommendation X.509 | ISO/IEC 9594-8 12. certification practice statement: statement of the practices which a certification authority employs in issuing certif

24、icates NOTE: See RFC 3647 4. 3.2 Abbreviations For the purposes of the present document, the following abbreviations apply: ABA American Bar Association AICPA American Institute of Certified Public Accountants ANSI American National Standards Institute APEC Asia-Pacific Economic Community CA Certifi

25、cation Authority CEN Comit Europen de Normalisation CICA Canadian Institute of Chartered Accountants EESSI European Electronic Signature Standardization Initiative eSTG eSecurity Task Group FPKI Federal Public Key Infrastructure IETF Internet Engineering Task Force ISC Information Security Committee

26、 ISO International Organization for Standardization ISSS Information Society Standardisation System PAG PKI Assessment Guidelines NOTE: Document published by the American Bar Association 7. PKI Public Key Infrastructure PKIX Public Key Infrastructure X.509 based QCP Qualified Certificate Policy NOTE

27、: Policy defined in TS 101 456 1. WPISP Working Party on Information Security and Privacy ETSI ETSI TR 102 040 V1.3.1 (2005-03) 7 4 Objective The major objective of the present document on international certificate policy harmonization is achieving harmonization between other internationally recogni

28、zed policies and other policy requirements which are not constrained by the European legal framework, on the one side with, on the other side, CA policy requirements which meet the requirements of European electronic signature Directive 1999/93/EC 6. Thus, the main aim of harmonization is: to ensure

29、 that European CAs, both operating within the framework of European Directive and more generally, have at least equal recognition in the wider international marketplace; to ensure that certification systems accredited under the internationally recognized standards may also be able to meet the securi

30、ty and management requirements of the European approval (termed accreditation in European electronic signature Directive 1999/93/EC 6) schemes/frameworks. In order to achieve these objectives it is also important that there is a simple relationship between the structure and requirements of ETSI docu

31、ments and other internationally recognized standards. 5 Relevant activities 5.1 Introduction There are a wide range of activities relating to certificate policies and practices which have some international relevance. This clause does not aim to provide a comprehensive list of relevant activities; r

32、ather it identifies those which are most closely related to TS 101 456 1 (referred to in the present document as the ETSI QCP) and TS 102 042 2 and hence have aspects that are already aligned with these ETSI specifications. 5.2 IETF PKIX policy and practices framework The Internet Engineering Task F

33、orce (IETF) Public Key Infrastructure X.509 (PKIX) working group published in March 1999 a Certificate Policies and Certification Practices Framework - RFC 2527 3. This provides a structure for the specification of certificate policies and certification practice statements. RFC 2527 3 has been revis

34、ed by the IETF as RFC 3647 4. Whilst the technical changes in RFC 3647 4 are described as minimal, the recommended structure of PKI policy and practice statements have significantly changed with some sections, such as obligations, being spread across several different parts of the document. RFC 3647

35、 4 was released in November 2003. This is now starting to be used instead of RFC 2527 3 including adoption of the basis of ongoing work in the Federal PKI and APEC. The new release of the ETSI Qualified Certificate Policy TS 101 456 1 also uses this as its main reference instead of RFC 2527 3. Howev

36、er, RFC 2527 3 is still remains important basis for many existing PKI infrastructures. The ETSI QCP was developed around the concepts specified in RFC 2527 3 and RFC 3647 4, and a mapping to the provisions required in both documents are specified in an annex to TS 101 456 1. Most of the internationa

37、l certificate policy and accreditation schemes considered in this technical report are based around RFC 2527 3 or RFC 3647 4. Thus TS 101 456 1 provides a useful basis for work on international harmonization. 5.3 ABA PKI assessment guidelines The American Bar Association (ABA) Information Security C

38、ommittee (ISC) has produced guidelines for the assessment of a public key infrastructure called the PKI Assessment Guidelines (PAG) 7. The PAG provides general guidance particularly from the legal perspective. However, as a general guide the PAG does not identify specific requirements as necessary f

39、or a certificate policy. The PAG includes only a small amount of guidance regarding European legislation with a small amount of information on the Electronic Signature Directive 1999/93/EC 6. The PAG was published in 2003. ETSI ETSI TR 102 040 V1.3.1 (2005-03) 8 5.4 US Federal PKI The United States

40、federal government has established PKI infrastructure to support inter-departmental and inter-governmental security called the Federal PKI (FPKI). This is based around a Bridge CA which supports mapping between approved PKI domains. The approval is based around a “Federal Bridge CA Certificate Polic

41、y“ against which other PKI domain Certificate Policies may be mapped. The US FPKI executive and members of the ETSI ESI committee have worked together to develop a policy mapping document. This FPKI / ETSI QCP mapping document analyses elements of the two policies based upon the RFC 2527 3 framework

42、. This document has been finalized and on July 7 2004 the US General Services Administration - Office of Government-wide Policy made it official that the ETSI QCP (see annex A): “is fundamentally comparable to the USPKI Federal Bridge Certification Authority (FBCA) Certificate Policy at the medium a

43、ssurance level. The result is that Qualified certificates issued by Certification Authorities (CAs) established in European Member States, and which are compliant with the associated EESSI standards published by ETSI and Comit Europen de Normalisation (CEN), could be assured of their compatibility w

44、ith the US Federal PKI should they wish to pursue cross recognition“. This comparability was achieved taking also in account other specifications issued by ETSI ESI and by the CEN Information Society Standardisation System (CEN/ISSS) WS/E-SIGN workshop, in particular CEN CWA 14167-1 13, CEN CWA 1417

45、2-1 10 and CEN CWA 14172-2 11. It is suggested that future work is performed on an opposite mapping between the ETSI QCP on to the FPKI, which may be used as the basis of recognition of CAs operating in the US being recognized in Europe. 5.5 APEC TEL eSTG The eSecurity Task Group (eSTG) is a task gr

46、oup of the Business Facilitation Steering Group of the APEC Telecommunications and Information Working Group (APEC TEL) - APEC is the Asia-Pacific Economic Community. eSTG does not have a formal charter but has two basic functions: the security of information infrastructure and networks; interoperab

47、ility of electronic authentication schemes within the APEC region and with other non APEC entities. APEC has produced “Guidelines for Schemes to Issue Certificates Capable of Being Used in Cross Jurisdiction eCommerce“. These guidelines are based around a detailed analysis of a number of certificate

48、 policies and “accreditation“ schemes that have been developed around the ASIA-Pacific rim (including Australia, Canada, USA, Hong Kong and Singapore) as well as the ETSI Qualified Certificate Policy (QCP). Table 1: Policy and accreditation Schemes compared by APEC Australia Gatekeeper (Australian G

49、overnment) Grade 2, Type 2 Canada Government of Canada PKI Medium assurance European Union ETSI QCP - TS 101 456 1 Qualified certificate Hong Kong, China Electronic Transactions Ordinance Recognized certificate issued by a recognized CA Singapore Electronic Transactions Act Certificate issued by a licensed CA United States Federal Bridge Certification Authority Medium assurance From this analysis, APEC identified common approaches and identified a model for accredi

copyright@ 2008-2019 麦多课文库(www.mydoc123.com)网站版权所有
备案/许可证编号:苏ICP备17064731号-1