ETSI TR 119 400-2016 Electronic Signatures and Infrastructures (ESI) Guidance on the use of standards for trust service providers supporting digital signatures and related services.pdf

1、 ETSI TR 119 400 V1.1.1 (2016-03) Electronic Signatures and Infrastructures (ESI); Guidance on the use of standards for trust service providers supporting digital signatures and related services TECHNICAL REPORT ETSI ETSI TR 119 400 V1.1.1 (2016-03) 2 Reference DTR/ESI-0019400 Keywords e-commerce, e

2、lectronic signature, security, trust services ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but non lucratif enregistre la Sous-Prfecture de Grasse (06) N 7803/88 Important notice T

3、he present document can be downloaded from: http:/www.etsi.org/standards-search The present document may be made available in electronic versions and/or in print. The content of any electronic and/or print versions of the present document shall not be modified without the prior written authorization

4、 of ETSI. In case of any existing or perceived difference in contents between such versions and/or in print, the only prevailing document is the print of the Portable Document Format (PDF) version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware

5、 that the document may be subject to revision or change of status. Information on the current status of this and other ETSI documents is available at https:/portal.etsi.org/TB/ETSIDeliverableStatus.aspx If you find errors in the present document, please send your comment to one of the following serv

6、ices: https:/portal.etsi.org/People/CommiteeSupportStaff.aspx Copyright Notification No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm except as authorized by written permission of ETSI. The content of the PDF version sh

7、all not be modified without the written authorization of ETSI. The copyright and the foregoing restriction extend to reproduction in all media. European Telecommunications Standards Institute 2016. All rights reserved. DECTTM, PLUGTESTSTM, UMTSTMand the ETSI logo are Trade Marks of ETSI registered f

8、or the benefit of its Members. 3GPPTM and LTE are Trade Marks of ETSI registered for the benefit of its Members and of the 3GPP Organizational Partners. GSM and the GSM logo are Trade Marks registered and owned by the GSM Association. ETSI ETSI TR 119 400 V1.1.1 (2016-03) 3 Contents Intellectual Pro

9、perty Rights 4g3Foreword . 4g3Modal verbs terminology 4g3Introduction 4g31 Scope 5g32 References 5g32.1 Normative references . 5g32.2 Informative references 5g33 Definitions and abbreviations . 7g33.1 Definitions 7g33.2 Abbreviations . 7g34 Introduction to trust services and trust service providers

10、. 7g34.1 What is a trust service and trust service provider . 7g34.2 Types of trust service provider . 8g34.2.1 TSP issuing certificates . 8g34.2.2 TSP issuing time-stamps . 8g34.2.3 Other potential trust services 8g34.2.4 Other trust services outside scope . 9g35 Aspects of trust services requiring

11、 standardization 9g35.1 Policy Essential, or potentially Essential, IPRs notified to ETSI in respect of ETSI standards“, which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web server (https:/ipr.etsi.org/). Pursuant to the ETSI IPR Policy, no investigation, includ

12、ing IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web server) which are, or may be, or may become, essential to the present document. Foreword This Technical Report (TR) has been p

13、roduced by ETSI Technical Committee Electronic Signatures and Infrastructures (ESI). Modal verbs terminology In the present document “shall“, “shall not“, “should“, “should not“, “may“, “need not“, “will“, “will not“, “can“ and “cannot“ are to be interpreted as described in clause 3.2 of the ETSI Dr

14、afting Rules (Verbal forms for the expression of provisions). “must“ and “must not“ are NOT allowed in ETSI deliverables except when used in direct citation. Introduction ETSI TR 119 000 i.2 (“The framework for standardization of signatures: overview“) provides an overview of the general structure f

15、or digital signatures standardization outlining existing and potential standards for such signatures. It identifies six areas of standardization with a list of existing and potential future standards in each area. The present document is one of a series guidance documents to assist readers and their

16、 suppliers in identifying the digital signature standards, as well as technical specifications, and their options relevant to their needs. Each guide addresses a particular area as identified in ETSI TR 119 000 i.2. This series is based on the process of selecting business scoping parameters for eac

17、h area of standardization. The selection of these scoping parameters is based on process involving an analysis of the business requirements and associated risks leading to an identification of the policy and security requirements and to an analysis of the resulting business scoping parameters from w

18、hich the appropriate standards and options can be selected. From the requirements expressed in terms of business scoping parameters for an area, each guidance document provides assistance in selecting the appropriate standards and their options for that area. Where standards, as well as technical sp

19、ecifications, and their options within one area make use of another area this is stated in terms of scoping parameters of that other area. A trust service is a service which enhances the trust and confidence in electronic transactions between parties. They are used, for example, to certify ownership

20、 of keys used for digital signatures. The present document does not include any normative requirements but provides guidance on addressing the trust service provider (TSP) supporting digital signatures, on the selection of applicable standards and their options for a particular business implementati

21、on context and associated business requirements. This general process of the selection of standards and options is described further in ETSI TR 119 000 i.2, clause 4.2.6. ETSI ETSI TR 119 400 V1.1.1 (2016-03) 5 1 Scope The present document provides guidance on the selection of standards and options

22、for the trust service provider supporting digital signatures and related services (area 4) as identified in ETSI TR 119 000 i.2. The present document describes the business scoping parameters relevant to this area (see clause 5) and how the relevant standards and options for this area can be identif

23、ied given the business scoping parameters (see clause 6). The target audience of the present document includes: 1) Business managers who potentially require support from digital signatures and in particular the provision of related supporting trust services in their business will find here an explan

24、ation of how digital signatures standards can be used to meet their business needs. 2) Application architects who will find here material that will guide them throughout the process of designing a system that fully and properly satisfies all the business and legal/regulatory requirements specific to

25、 digital signatures and in particular the provision of related supporting trust services. They will gain a better understanding on how to select the appropriate standards to be implemented and/or used. 3) Developers of the systems who will find in the present document an understanding of the main re

26、asons that lead the systems to be designed as they were, as well as a proper knowledge of the standards that exist in the field and that they need to know in detail for a proper development. 2 References 2.1 Normative references References are either specific (identified by date of publication and/o

27、r edition number or version number) or non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the referenced document (including any amendments) applies. Referenced documents which are not found to be publicly available in the expect

28、ed location might be found at https:/docbox.etsi.org/Reference/. NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee their long term validity. The following referenced documents are necessary for the application of the present document. Not

29、 applicable. 2.2 Informative references References are either specific (identified by date of publication and/or edition number or version number) or non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the referenced document (inc

30、luding any amendments) applies. NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee their long term validity. The following referenced documents are not necessary for the application of the present document but they assist the user with reg

31、ard to a particular subject area. i.1 Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC. i.2 ETSI TR 119 000: “Electronic Signatures and Infra

32、structures (ESI); The framework for standardization of signatures: overview“. i.3 ETSI TR 119 100: “Electronic Signatures and Infrastructures (ESI); Guidance on the use of standards for signature creation and validation“. ETSI ETSI TR 119 400 V1.1.1 (2016-03) 6 i.4 ETSI EN 319 401: “Electronic Signa

33、tures and Infrastructures (ESI); General policy requirements for trust service providers“. i.5 ETSI EN 319 411-1: “Electronic Signatures and Infrastructures (ESI); Policy and security requirements for Trust Service Providers issuing certificates; Part 1: General requirements“. i.6 ETSI EN 319 411-2:

34、 “Electronic Signatures and Infrastructures (ESI); Policy and security requirements for Trust Service Providers issuing certificates; Part 2: Requirements for trust service providers issuing EU qualified certificates“. i.7 ETSI EN 319 421: “Electronic Signatures and Infrastructures (ESI); Policy and

35、 Security Requirements for Trust Service Providers issuing Time-Stamps“. i.8 ETSI EN 319 412-1: “Electronic Signatures and Infrastructures (ESI); Certificate Profiles; Part 1: Overview and common data structures“. i.9 ETSI EN 319 412-2: “Electronic Signatures and Infrastructures (ESI); Certificate P

36、rofiles; Part 2: Certificate Profile for certificates issued to natural persons“. i.10 ETSI EN 319 412-3: “Electronic Signatures and Infrastructures (ESI); Certificate Profiles; Part 3: Certificate Profile for certificates issued to legal persons“. i.11 ETSI EN 319 412-4: “Electronic Signatures and

37、Infrastructures (ESI); Certificate Profiles; Part 4: Certificate Profile for web site certificates“. i.12 ETSI EN 319 412-5: “Electronic Signatures and Infrastructures (ESI); Certificate Profiles; Part 5: QCStatements“. i.13 ETSI EN 319 422: “Electronic Signatures and Infrastructures (ESI); Time-sta

38、mping protocol and time-stamp token profiles“. i.14 ETSI EN 319 403: “Electronic Signatures and Infrastructures (ESI); Trust Service Provider Conformity Assessment - Requirements for conformity assessment bodies assessing Trust Service Providers“. i.15 ETSI EN 319 122 (all parts): “Electronic Signat

39、ures and Infrastructures (ESI); CAdES digital signatures“. i.16 ETSI EN 319 132 (all parts): “Electronic Signatures and Infrastructures (ESI); XAdES digital signatures“. i.17 ETSI EN 319 142 (all parts): “Electronic Signatures and Infrastructures (ESI); PAdES digital signatures“. i.18 ETSI EN 319 16

40、2 (all parts): “Electronic Signatures and Infrastructures (ESI); Associated Signature Containers (ASiC)“. i.19 ISO 15408: “Information technology - Security techniques - Evaluation criteria for IT security“. i.20 Recommendation ITU-T X.509/ISO/IEC 9594-8: “Information technology - Open Systems Inter

41、connection - The Directory: Public-key and attribute certificate frameworks“. i.21 IETF RFC 3161: “Internet X.509 Public Key Infrastructure Time-Stamp Protocol (TSP)“. i.22 IETF RFC 5246: “The Transport Layer Security (TLS) Protocol Version 1.2“. i.23 ETSI SR 019 020: “The framework for standardizat

42、ion of signatures; Standards for AdES digital signatures in mobile and distributed environments“. i.24 ETSI TR 119 500: “Electronic Signatures and Infrastructures (ESI); Guidance on the use of standards for trust application service providers“. i.25 ETSI TR 119 001: “Electronic Signatures and Infras

43、tructures (ESI); The framework for standardization of signatures; Definitions and abbreviations“. ETSI ETSI TR 119 400 V1.1.1 (2016-03) 7 i.26 CA/Browser Forum: “Guidelines for The Issuance and Management of Extended Validation Certificates“. i.27 CA/Browser Forum: “Baseline Requirements for the Iss

44、uance and Management of Publicly-Trusted Certificates“. i.28 ISO/IEC 27002: “Information technology - Security techniques - Code of practice for information security management“. i.29 IETF RFC 5816: “ESSCertIDv2 Update for RFC 3161“. 3 Definitions and abbreviations 3.1 Definitions For the purposes o

45、f the present document, the terms and definitions given in ETSI TR 119 001 i.25 and the following apply: EU qualified trust service provider: trust service provider that meets the requirements for qualified trust service providers laid down in Regulation (EU) No 910/2014 i.1 NOTE: These definitions

46、are aligned with those used in the standards referred to in the present document. 3.2 Abbreviations For the purposes of the present document, the abbreviations given in ETSI TR 119 001 i.25 and the following apply: CA Certification Authority SSL Secure Socket Layer NOTE: Newer version of this protoc

47、ol has been specified as TLS i.22. TLS Transport Layer Security 4 Introduction to trust services and trust service providers 4.1 What is a trust service and trust service provider A trust service is a service which enhances the trust and confidence in electronic transactions between parties. A trust

48、 service is provided by a “third“ party (trust service provider - TSP) which needs to be trusted (directly or indirectly) by the transacting parties. The TSP provides information (e.g. a key that may be used to authenticate an identified person), in the form of a trust service token which can be use

49、d by the transacting parties to enhance the security of transactions between them. Generally, a TSP also provides associated management services to maintain information used in the trust service tokens. The concept of TSP is a generalization of an earlier concept of a provider of public key certificates, commonly called a certification authority. The concept of trust service and trust service provider is also used in relation to specific regulatory requirements in the European Union Regulation (EU)