1、 ETSI TR 119 600 V1.2.1 (2016-03) Electronic Signatures and Infrastructures (ESI); Guidance on the use of standards for trust service status lists providers TECHNICAL REPORT ETSI ETSI TR 119 600 V1.2.1 (2016-03) 2 Reference RTR/ESI-0019600v121 Keywords e-commerce, electronic signature, security, tru
2、st services ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but non lucratif enregistre la Sous-Prfecture de Grasse (06) N 7803/88 Important notice The present document can be downloa
3、ded from: http:/www.etsi.org/standards-search The present document may be made available in electronic versions and/or in print. The content of any electronic and/or print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any existing
4、or perceived difference in contents between such versions and/or in print, the only prevailing document is the print of the Portable Document Format (PDF) version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject
5、to revision or change of status. Information on the current status of this and other ETSI documents is available at https:/portal.etsi.org/TB/ETSIDeliverableStatus.aspx If you find errors in the present document, please send your comment to one of the following services: https:/portal.etsi.org/Peopl
6、e/CommiteeSupportStaff.aspx Copyright Notification No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm except as authorized by written permission of ETSI. The content of the PDF version shall not be modified without the wr
7、itten authorization of ETSI. The copyright and the foregoing restriction extend to reproduction in all media. European Telecommunications Standards Institute 2016. All rights reserved. DECTTM, PLUGTESTSTM, UMTSTMand the ETSI logo are Trade Marks of ETSI registered for the benefit of its Members. 3GP
8、PTM and LTE are Trade Marks of ETSI registered for the benefit of its Members and of the 3GPP Organizational Partners. GSM and the GSM logo are Trade Marks registered and owned by the GSM Association. ETSI ETSI TR 119 600 V1.2.1 (2016-03) 3 Contents Intellectual property rights 4g3Foreword . 4g3Moda
9、l verbs terminology 4g3Introduction 4g31 Scope 5g32 References 5g32.1 Normative references . 5g32.2 Informative references 5g33 Definitions and abbreviations . 6g33.1 Definitions 6g33.2 Abbreviations . 7g34 Introduction to trusted lists, trust services status lists and their providers . 8g34.1 Trust
10、 service and trust service provider 8g34.2 Trust service status lists and trusted lists 8g34.2.1 Trust service status lists 8g34.2.2 Trusted lists . 8g34.3 TSL/TL trust model 10g34.4 Providers of trust service status list or trusted lists . 10g34.5 Aspects of TSL/TL provisioning services subject to
11、standardization 10g35 Guidance on the implementation of TSLs/TLs and selection of standards 11g35.1 Business requirements analysis 11g35.2 Policy and security requirements analysis 11g35.3 Business scoping parameters 11g35.4 Technical implementation and further selection of standards 12g3History 14g
12、3ETSI ETSI TR 119 600 V1.2.1 (2016-03) 4 Intellectual property rights IPRs essential or potentially essential to the present document may have been declared to ETSI. The information pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found i
13、n ETSI SR 000 314: “Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in respect of ETSI standards“, which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web server (https:/ipr.etsi.org/). Pursuant to the ETSI IPR Policy
14、, no investigation, including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web server) which are, or may be, or may become, essential to the present document. Foreword This Techni
15、cal Report (TR) has been produced by ETSI Technical Committee Electronic Signatures and Infrastructures (ESI). Modal verbs terminology In the present document “shall“, “shall not“, “should“, “should not“, “may“, “need not“, “will“, “will not“, “can“ and “cannot“ are to be interpreted as described in
16、 clause 3.2 of the ETSI Drafting Rules (Verbal forms for the expression of provisions). “must“ and “must not“ are NOT allowed in ETSI deliverables except when used in direct citation. Introduction Trust service status list is the general term used to designate the form of a signed list as the basis
17、for presentation of trust service status information. The purpose of a trust service status list is to provide a harmonized way in which approval schemes, having an oversight role with regards to trust services and their providers, can publish information about the services and trust service provide
18、rs which they currently oversee, or indeed (through the provision of historical information) have overseen. ETSI ETSI TR 119 600 V1.2.1 (2016-03) 5 1 Scope The present document provides guidance on the selection of standards and their options to organizations wishing to establish a trust service sta
19、tus list, for a particular business implementation context and associated business requirements. The present document describes the business scoping parameters relevant to this area and how the relevant standards and options for this area can be identified given these business scoping parameters. Th
20、e target audience of the present document includes those potentially requiring support from trust services and in particular trust service status lists. The present document provides an explanation of how related standards can be used to meet the business needs. 2 References 2.1 Normative references
21、 References are either specific (identified by date of publication and/or edition number or version number) or non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the referenced document (including any amendments) applies. Referen
22、ced documents which are not found to be publicly available in the expected location might be found at http:/docbox.etsi.org/Reference. NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee their long term validity. The following referenced do
23、cuments are necessary for the application of the present document. Not applicable. 2.2 Informative references References are either specific (identified by date of publication and/or edition number or version number) or non-specific. For specific references, only the cited version applies. For non-s
24、pecific references, the latest version of the referenced document (including any amendments) applies. NOTE: While any hyperlinks included in this clause were valid at the time of publication ETSI cannot guarantee their long term validity. The following referenced documents are not necessary for the
25、application of the present document but they assist the user with regard to a particular subject area. i.1 Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures. NOTE: This Directive and its implementations in EU Mem
26、ber States legislation are the applicable European legislation until 1 July 2016 at which date the Directive will be repealed by Regulation (EU) No 910/2014 i.2. i.2 Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust servi
27、ces for electronic transactions in the internal market and repealing Directive 1999/93/EC. i.3 ETSI TS 119 612: “Electronic Signatures and Infrastructures (ESI); Trusted Lists“. i.4 Commission Decision 2009/767/EC of 16 October 2009 setting out measures facilitating the use of procedures by electron
28、ic means through the points of single contact under Directive 2006/123/EC of the European Parliament and of the Council on services in the internal market i.5 ETSI EN 319 411 (all parts): “Electronic Signatures and Infrastructures (ESI); Policy and security requirements for Trust Service Providers i
29、ssuing certificates“. ETSI ETSI TR 119 600 V1.2.1 (2016-03) 6 i.6 European Regulation 765/2008 of 9 July 2008 setting out the requirements for accreditation and market surveillance relating to the marketing of products and repealing Regulation (EEC) No 339/93. i.7 Commission Decision 2010/425/EU of
30、28 July 2010 amending Decision 2009/767/EC as regards the establishment, maintenance and publication of trusted lists of certification service providers supervised/accredited by Member States. i.8 Commission Decision 2013/662/EU of 14 October 2013 amending Decision 2009/767/EC as regards the establi
31、shment, maintenance and publication of trusted lists of certification service providers supervised/accredited by Member States. i.9 ETSI TS 102 231: “Electronic Signatures and Infrastructures (ESI); Provision of harmonized Trust-service status information“. i.10 ETSI TS 119 611: “Electronic Signatur
32、es and Infrastructures (ESI); Policy Trust service status lists“. i.12 ETSI TS 119 172 (all parts): “Electronic Signatures and Infrastructures (ESI); Signature Policies“. i.13 ETSI TS 119 603: “Electronic Signatures and Infrastructures (ESI); General requirements and guidance for conformity assessme
33、nt of trust service status lists providers“. i.14 ETSI TS 119 613: “Electronic Signatures and Infrastructures (ESI); Requirements for conformity assessment bodies assessing trusted lists providers“. i.15 ETSI TS 119 614: “Electronic Signatures and Infrastructures (ESI); Testing conformance b) on the
34、 TSPs recognized by the scheme; c) on the service(s) provided by these TSPs and the current status of the service(s); d) on the status history of each service. 4.3 TSL/TL trust model TSL and TL are signed electronic documents. To verify the signature, relying parties need to be able to access the ap
35、plicable public key. Since the scheme under which the TSLs or TLs are issued is effectively positioned “above“ the TSPs approved by that scheme, the authenticity of the public key cannot be verified solely on the basis of its certification by any TSP inside or outside the scheme. Providing the schem
36、es public key is therefore a problem very similar to providing the public key of a CA service. NOTE: A possible solution to this problem is the publication of such public keys in the relevant Official Journals. In the case where several TSLs or TLs participate to a common approval scheme or when the
37、re is a need to group and facilitate access to such TSLs or TLs, a compiled list of pointers towards such TSLs or TLs can be established, published and maintained. Such a compiled list of pointers towards logically grouped TSLs or TLs can also play an important role in authenticating and trusting ea
38、ch TSL or TL which is pointed to by the compiled list. As a TSL or TL is signed by its provider, the certificate (or public key) to be used to verify such a signature can be included in the compiled list together with the corresponding pointer to this TL. The compiled list of pointers can be signed
39、and the certificate to be used to verify the signature on the compiled list can be published in an official journal or in another trustworthy publication. 4.4 Providers of trust service status list or trusted lists The TSL/TL providers (also called approval scheme operators) establishing, publishing
40、 and maintaining TLs or TSLs can be considered as a specific type of trust service provider and the issuance of TLs and TSLs considered a specific type of trust service. The recognition and trustworthiness of such trust service providers is likely to depend on applicable legislation and/or on policy
41、 and security requirements on their practices and the policies they use to provide their services related to the establishing, publication and maintenance of their TLs or TSLs. 4.5 Aspects of TSL/TL provisioning services subject to standardization Similarly to other types of TSPs described in clause
42、 4.1, several aspects of TSL/TL are subject to standardization. This covers: a) Policy b) the specific business, legislative and geographical context in which the provision of such lists and information they contain applies; c) potential mutual recognition being sought with trust services and trust
43、service providers in the applicable domain. 5.2 Policy and security requirements analysis Secondly the process regarding the analysis of the practices and policy requirements as well as the conduction of a risk analysis relating to the provision of TSLs/TLs will be addressed in the relevant policy r
44、equirements document as identified in clause 5.4. 5.3 Business scoping parameters The selection of standards and their options for the provision of TSLs/TLs depends on the following business scoping parameters: a) Business domain: In particular whether the list is aimed to be: 1) a trusted list to b
45、e established, published and maintained by an EU Member State or EEA country to which the applicable EU, and when applicable national, legislations apply; or 2) a trusted list to be established, published and maintained by a non-EU country or an international organization e.g. seeking for potential
46、mutual recognition and/or interoperability with European trusted lists; or ETSI ETSI TR 119 600 V1.2.1 (2016-03) 12 3) any other type of trust service status list. b) Whether a formal recognition is required, e.g. through an independent audit, that a TSL/TL provider meets recognized criteria (called
47、 policy requirements in the standards for this area) for being trustworthy to meet the legal or commercial requirements of the user community. 5.4 Technical implementation and further selection of standards Given the selection choices, the standards for the TSP providing TSL/TL should be used as ind
48、icated in table 1. This will also help TSL/TL providers in: a) defining rules for instantiation of TSLs or TLs (for EUMS or for non-EU countries or international organization); and b) defining editing and usage rules of instantiated TSLs or TLs (for EUMS or for non-EU countries or international orga
49、nization). Table 1: Summary of guidance on selection of standards Topic TL - EU MS TL - non EU & International Organizations (Other) TSSLs Practices No standard available yet. Possible future standard(s): ETSI TS 119 611 i.10 No standard available yet. Possible future standard(s): ETSI TS 119 611 i.10 No standard available List content provisions Before 1stJuly 2016, Commission Decision 2009/767/EC i.4 as amended by Commission Decision 2010/425/EU i.7 and Commission Decision 2013/662/EU i.8 (based on V1.1.1 of ETSI TS 119 612 i
copyright@ 2008-2019 麦多课文库(www.mydoc123.com)网站版权所有
备案/许可证编号:苏ICP备17064731号-1