ETSI TR 102 437-2006 Electronic Signatures and Infrastructures (ESI) Guidance on TS 101 456 (Policy Requirements for certification authorities issuing qualified certificates) (V1 1_1.pdf

1、 ETSI TR 102 437 V1.1.1 (2006-10)Technical Report Electronic Signatures and Infrastructures (ESI); Guidance on TS 101 456 (Policy Requirements for certification authorities issuing qualified certificates) ETSI ETSI TR 102 437 V1.1.1 (2006-10) 2 Reference DTR/ESI-000023 Keywords e-commerce, electroni

2、c signature, security ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but non lucratif enregistre la Sous-Prfecture de Grasse (06) N 7803/88 Important notice Individual copies of the

3、present document can be downloaded from: http:/www.etsi.org The present document may be made available in more than one electronic version or in print. In any case of existing or perceived difference in contents between such versions, the reference version is the Portable Document Format (PDF). In c

4、ase of dispute, the reference shall be the printing on ETSI printers of the PDF version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current status of this

5、and other ETSI documents is available at http:/portal.etsi.org/tb/status/status.asp If you find errors in the present document, please send your comment to one of the following services: http:/portal.etsi.org/chaircor/ETSI_support.asp Copyright Notification No part may be reproduced except as author

6、ized by written permission. The copyright and the foregoing restriction extend to reproduction in all media. European Telecommunications Standards Institute 2006. All rights reserved. DECTTM, PLUGTESTSTM and UMTSTM are Trade Marks of ETSI registered for the benefit of its Members. TIPHONTMand the TI

7、PHON logo are Trade Marks currently being registered by ETSI for the benefit of its Members. 3GPPTM is a Trade Mark of ETSI registered for the benefit of its Members and of the 3GPP Organizational Partners. ETSI ETSI TR 102 437 V1.1.1 (2006-10) 3 Contents Intellectual Property Rights5 Foreword.5 Int

8、roduction 5 1 Scope 7 2 References 7 3 Definitions and abbreviations.9 3.1 Definitions9 3.2 Abbreviations .9 3.3 Additional terms used in the present document9 4 General Concepts .10 5 Introduction to qualified certificate policies.10 5.1 Overview 10 5.2 Identification 11 5.3 User Community and appl

9、icability.11 5.3.1 QCP public + SSCD .12 5.3.2 QCP public12 5.4 Conformance 12 5.4.1 General12 5.4.2 QCP public + SSCD .14 5.4.3 QCP public14 6 Obligations and liability .14 6.1 Certification authority obligations14 6.2 Subscriber obligations 15 6.3 Information for Relying parties 17 6.4 Liability 1

10、8 7 Requirements on CA practice.18 7.1 Certification practice statement19 7.2 Public key infrastructure - Key management life cycle21 7.2.1 Certification authority key generation 21 7.2.2 Certification authority key storage, backup and recovery.24 7.2.3 Certification authority public key distributio

11、n27 7.2.4 Key escrow .27 7.2.5 Certification authority key usage 27 7.2.6 End of CA key life cycle.28 7.2.7 Life cycle management of cryptographic hardware used to sign certificates .29 7.2.8 CA provided subject key management services30 7.2.9 Secure-signature-creation device preparation.31 7.3 Publ

12、ic key infrastructure - Certificate Management life cycle .32 7.3.1 Subject registration .32 7.3.2 Certificate renewal, rekey and update.36 7.3.3 Certificate generation37 7.3.4 Dissemination of Terms and Conditions.39 7.3.5 Certificate dissemination 40 7.3.6 Certificate revocation and suspension.41

13、7.4 CA management and operation 44 7.4.1 Security management44 7.4.2 Asset classification and management .48 7.4.3 Personnel security.49 7.4.4 Physical and environmental security.52 7.4.5 Operations management .54 7.4.6 System Access Management.56 ETSI ETSI TR 102 437 V1.1.1 (2006-10) 4 7.4.7 Trustw

14、orthy Systems Deployment and Maintenance .58 7.4.8 Business continuity management and incident handling 59 7.4.9 CA termination .62 7.4.10 Compliance with Legal Requirements63 7.4.11 Recording of Information Concerning Qualified Certificates.65 7.5 Organizational 67 8 Framework for the definition of

15、 other qualified certificate policies 69 8.1 Qualified certificate policy management69 8.2 Exclusions for non public QCPs.70 8.3 Additional requirements .71 8.4 Conformance 71 History 73 ETSI ETSI TR 102 437 V1.1.1 (2006-10) 5 Intellectual Property Rights IPRs essential or potentially essential to t

16、he present document may have been declared to ETSI. The information pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found in ETSI SR 000 314: “Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETS

17、I in respect of ETSI standards“, which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web server (http:/webapp.etsi.org/IPR/home.asp). Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee can be given

18、as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web server) which are, or may be, or may become, essential to the present document. Foreword This Technical Report (TR) has been produced by ETSI Technical Committee Security (SEC). The present document i

19、s largely based on the “TTP.NL Guidance on TS 101 456 15“, issued by ECP.NL - The Electronic Commerce Platform for the Netherlands that kindly offered their document as a basis for the present document. Introduction Electronic commerce is getting momentum as a way of doing business and communicating

20、 across public and private networks. An important requirement of electronic commerce is the ability to identify the originator of electronic information in the same way that documents are signed using a hand-written signature. This is commonly achieved by using electronic signatures which are suppor

21、ted by a certification-service-provider issuing certificates, commonly called a certification authority. The Directive 1999/93/EC of the European Parliament and of the Council on a Community framework for electronic signatures 1 (hereinafter referred to as “the Directive“) identifies a special form

22、of electronic signature which is based on a “qualified certificate“. Annex I of this Directive specifies requirements for qualified certificates. Annex II of the Directive specifies requirements on certification-service-providers issuing qualified certificates (i.e. certification authorities issuing

23、 qualified certificates). Annex III specifies requirements for secure signature creation devices. For users of electronic signatures to have confidence in the authenticity of the qualified electronic signatures they need to have confidence that the CA that issued the qualified certificate the electr

24、onic signature is based upon has properly established procedures and protective measure in order to minimize the operational and financial threats and risks associated with public key crypto systems. ETSI ESI issued, and keeps updated, the Technical Specification TS 101 456 15 that specifies baselin

25、e policy requirements on the operation and management practices of certification authorities issuing qualified certificates to the public, that are used in support of qualified electronic signatures (i.e. electronic signatures that are legally equivalent to hand-written signatures in line with artic

26、le 5.1 of the European Directive on a community framework for electronic signatures 1). The use of a secure-signature-creation device, as required through annex III of the Directive, is an optional element of these policy requirements. The present document provides guidelines on interpreting the TS

27、101 456 15 requirements for use by independent bodies and their assessors, certification service providers and other interested parties. Guidance is provided both to the assessors, by specifying which verifications they are recommended to do, and to the certification authorities, by indicating docum

28、ents and other factual reference they should provide to assessors. Interrelation of standards In figure 1 a schema is shown displaying the CAs areas (organization, systems, products, crypto modules) and the corresponding assessment scopes. ETSI ETSI TR 102 437 V1.1.1 (2006-10) 6 CA conforming to TS

29、101 456 Systems and products conforming to CWA 14167-1 hw / sw hw / sw Crypto module(s) conforming to FIPS-140 or CWA 14167 or ISO 15408 EAL 4 hw / sw Scope of evaluation of crypto module(s) Scope of audit of systems and products Scope of audit of the CA Management Organisation Processes Procedures

30、Legend Figure 1: Illustration of interrelation of standards regarding electronic signatures More specifically: CA management, organization, processes and procedures are to be assessed against TS 101 456 15; CA systems and products are to be assessed against CWA 14167-1 8; CA crypto systems are to be

31、 assessed against CWA 14167-2 9, -3 10, -4 11 as appropriate, or FIPS 140-1, -2 5, or suitable ISO/IEC 15408 7 protection profiles or security target to EAL 4. This implies the following: For the management system: auditing of documentation and implementation. For trustworthy systems: executing an E

32、DP-audit against CWA 14167-1 8 or verifying a statement that an EDP-audit against CWA 14167-1 has been carried out with positive results. For Crypto Modules: demanding statements, that fulfil certain conditions (based on the right standards, supplied by the right organizations and persons, etc.). Fu

33、rther assessment guidelines on TS 101 456 15 are provided in CWA 14172-2 18. In addition, guidance on assessment of trustworth systems against CWA 14167-1 8 is given in CWA 14172-3 18. The present document incorporates guidance on TS 101 456 15: As given in most notes included in TS 101 456 15. As g

34、iven in CWA 14172-2, by referring to the relevant sections. With additional guidance covering further issues identified in applying TS 101 456 15. The guidance taken from these 3 sources are provided in tables of the following form: Subject TS 101 456 Guidance Note / CWA 14172-2 Guidance / Additiona

35、l Guidance Best practice ETSI ETSI TR 102 437 V1.1.1 (2006-10) 7 1 Scope The present document provides guidance on interpreting the requirements specified in TS 101 456 (V1.4.1) 15. This guidance is intended for use by bodies that supervise (e.g. as per Directive articles 3.3), approve or accredit C

36、As (e.g. as per articles 3.2 of Directive 1), assessors, certification service providers and other interested parties. The present document purpose is to facilitate assessors in evaluating compliance of certification authorities with TS 101 456 15 and, consequently, to facilitate certification autho

37、rities in implementing TS 101 456 15 requirements. The original text of TS 101 456 15 is repeated in the present document to provide a comprehensive source. TEXT COPIED VERBATIM FROM TS 101 456 15 IS IN ITALIC. 2 References For the purposes of this Technical Report (TR) the following references appl

38、y: NOTE: While any hyperlinks included in this clause were valid at the time of publication ETSI cannot guarantee their long term validity. The following references are taken from TS 101 456. 1 Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community fram

39、ework for electronic signatures. NOTE: The above is referred to as “the Directive“ in the present document. 2 IETF RFC 3647 (2003): “Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework“. NOTE: Obsoletes IETF RFC 2527. 3 ITU-T Recommendation X.509 (2000)/

40、ISO/IEC 9594-8 (2001): “Information technology - Open Systems Interconnection - The Directory: Public-key and attribute certificate frameworks“. 4 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of per

41、sonal data and on the free movement of such data. 5 FIPS PUB 140-2 (2001): “Security Requirements For Cryptographic Modules“. NOTE: FIPS 140-1 certified devices are perfectly admissible and a valid alternative to FIPS 140-2. 6 ETSI TS 101 862: “Qualified certificate profile“. 7 ISO/IEC 15408 (2005)

42、(parts 1 to 3): “Information technology - Security techniques - Evaluation criteria for IT security“. 8 CEN Workshop Agreement 14167-1: “Security Requirements for Trustworthy Systems Managing Certificates for Electronic Signatures - Part 1 System Security Requirements“. 9 CEN Workshop Agreement 1416

43、7-2: “Security Requirements for Trustworthy Systems Managing Certificates for Electronic Signatures - Part 2: Cryptographic Module for CSP signing operations with backup - Protection profile (CMCSOB-PP)“. 10 CEN Workshop Agreement 14167-3: “C Security Requirements for Trustworthy Systems Managing Ce

44、rtificates for Electronic Signatures - Part 3: Cryptographic module for CSP key generation services - Protection profile (CMCKG-PP)“. ETSI ETSI TR 102 437 V1.1.1 (2006-10) 8 11 CEN Workshop Agreement 14167-4: “ Security Requirements for Trustworthy Systems Managing Certificates for Electronic Signat

45、ures - Part 4: Cryptographic module for CSP signing operations - Protection profile - CMCSO PP“. 12 Directive 93/13/EEC of 5 April 1993 on unfair terms in consumer contracts. 13 ISO/IEC 17799 (2005): “Information technology - Security techniques - Code of practice for information security management

46、“. 14 ETSI TS 102 158: “Electronic Signatures and Infrastructures (ESI); Policy requirements for Certification Service Providers issuing attribute certificates usable with Qualified certificates“. Additional references 15 ETSI TS 101 456: “Electronic Signatures and Infrastructures (ESI); Policy requ

47、irements for certification authorities issuing qualified certificates“. 16 ETSI TS 102 176-1: “Electronic Signatures and Infrastructures (ESI); Algorithms and Parameters for Secure Electronic Signatures; Part 1: Hash functions and asymmetric algorithms“. 17 ETSI TS 102 176-2: “Electronic Signatures

48、and Infrastructures (ESI); Algorithms and Parameters for Secure Electronic Signatures; Part 2: Secure channel protocols and algorithms for signature creation devices“. 18 CWA 14172-2: “EESSI Conformity Assessment Guidance on ETSI TS 101 456“. 19 CWA 14172-3: “EESSI Conformity Assessment Guidance on

49、Trustworthy Systems“. 20 IETF RFC 2119: “Key words for use in RFCs to Indicate Requirement Levels“. 21 IETF RFC 4210: “Internet X.509 Public Key Infrastructure Certificate Management Protocol (CMP)“. 22 IETF RFC 4211: “Internet X.509 Public Key Infrastructure Certificate Request Message Format (CRMF)“. 23 PKCS #5 v2.0: “Password-Based Cryptography Standard“. 24 TTP.NL Part 1: “Requirements and Guidance for the Certification of the Public Key Infrastructure of Ce