ETSI TS 102 573-2012 Electronic Signatures and Infrastructures (ESI) Policy requirements for trust service providers signing and or storing data objects (V2 1 1)《电子签名和基础结构(ESI) 对信托.pdf

1、 ETSI TS 102 573 V2.1.1 (2012-04) Electronic Signatures and Infrastructures (ESI); Policy requirements for trust service providers signing and/or storing data objects Technical Specification ETSI ETSI TS 102 573 V2.1.1 (2012-04)2Reference RTS/ESI-00124 Keywords data preservation, e-commerce, electro

2、nic signature, provider, security, trust services ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but non lucratif enregistre la Sous-Prfecture de Grasse (06) N 7803/88 Important noti

3、ce Individual copies of the present document can be downloaded from: http:/www.etsi.org The present document may be made available in more than one electronic version or in print. In any case of existing or perceived difference in contents between such versions, the reference version is the Portable

4、 Document Format (PDF). In case of dispute, the reference shall be the printing on ETSI printers of the PDF version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on

5、 the current status of this and other ETSI documents is available at http:/portal.etsi.org/tb/status/status.asp If you find errors in the present document, please send your comment to one of the following services: http:/portal.etsi.org/chaircor/ETSI_support.asp Copyright Notification No part may be

6、 reproduced except as authorized by written permission. The copyright and the foregoing restriction extend to reproduction in all media. European Telecommunications Standards Institute 2012. All rights reserved. DECTTM, PLUGTESTSTM, UMTSTMand the ETSI logo are Trade Marks of ETSI registered for the

7、benefit of its Members. 3GPPTM and LTE are Trade Marks of ETSI registered for the benefit of its Members and of the 3GPP Organizational Partners. GSM and the GSM logo are Trade Marks registered and owned by the GSM Association. ETSI ETSI TS 102 573 V2.1.1 (2012-04)3Contents Intellectual Property Rig

8、hts 4g3Foreword . 4g3Introduction 4g31 Scope 5g32 References 5g32.1 Normative references . 5g32.2 Informative references 7g33 Definitions and abbreviations . 7g33.1 Definitions 7g33.2 Abbreviations . 8g34 Notation 8g35 General concepts 9g35.1 ISO/IEC 27001 ISMS and “Policy Requirements“. 9g35.2 Fisc

9、ally Relevant Provisions 9g35.2.1 Fiscally Relevant Data objects 9g35.2.2 Basic Model for Fiscally Relevant Data Objects 10g35.2.3 Commonly Acceptable Practices for Trusted Service Providers 10g35.3 Normalized and Extended Policy Requirements 11g35.4 User Community and Applicability 11g35.5 Conforma

10、nce requirements 12g36 Obligations . 12g36.1 Trust service providers obligations 12g36.2 Trust service providers organizational requirements 13g36.3 Subscriber obligations 13g36.4 Information for trading partner . 14g36.5 Information for auditor/regulatory/tax authorities 14g3Annex A (normative): Ob

11、jectives and controls - signature and storage . 15g3Annex B (normative): Objectives and controls - information security management 21g3Annex C (informative): Change history . 27g3History 28g3ETSI ETSI TS 102 573 V2.1.1 (2012-04)4Intellectual Property Rights IPRs essential or potentially essential to

12、 the present document may have been declared to ETSI. The information pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found in ETSI SR 000 314: “Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to E

13、TSI in respect of ETSI standards“, which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web server (http:/ipr.etsi.org). Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee can be given as to the exis

14、tence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web server) which are, or may be, or may become, essential to the present data object. Foreword This Technical Specification (TS) has been produced by ETSI Technical Committee Electronic Signatures and Infrastructures

15、(ESI). Introduction Electronic records can provide a sound basis for maintaining data object, and with the application of good practices can prove more secure and robust than the use of paper. The key issue is ensuring integrity, authenticity and legibility to preserved data objects throughout the e

16、ntire storage period. This issue is particularly relevant to the case where the data object owner resorts to a Data Preservation Service Provider (DPSP) since, especially when fiscal accounts are involved, the owner is in any case responsible towards the law of the preserved data, regardless that th

17、e actual preservation is in charge of a service provider. Therefore for the owner choosing a reliable Service Provider is of paramount importance. Within the scope of the EU Community legislation on consumer protection, EU Services Directive 2006/123/EC i.1, article 26 requires EUMS to “take accompa

18、nying measures to encourage providers to take action on a voluntary basis in order to ensure the quality of service provision“. This will be accomplished through certification, independent assessment or compliance with quality charters. It is to be noted too that, if a DPSP bases its services on ele

19、ctronic signatures, its certification/assessment is also consistent with Directive 1999/93/EC 8 that, at art. 3(2), allows Member States to “introduce or maintain voluntary accreditation schemes aiming at enhanced levels of certification-service provision“. Art. 2(11) of this Directive defines: “cer

20、tification-service-provider“ means an entity or a legal or natural person who issues certificates or provides other services related to electronic signatures“. What these services are, is clarified in Whereas (9) that reads: “the definition of such services should also encompass any other service an

21、d product using, or ancillary to, electronic signatures“. Therefore DPSPs, providing services based on electronic signatures, are Certification Service Providers. The present document, consistently with the Services Directive goals, specifies policy requirements that anyone who archives data objects

22、, on his own account or as a provision of services to his customers, may comply with. Such policy requirements complement the number of archival related standards and specifications with provisions on Information Security Management related to Storage Systems. These requirements apply to fiscally re

23、levant data objects storage. The technical format of the data to be preserved as well as the process of the signature creation are of importance for ensuring authenticity and integrity to the data object, therefore some European national governments regulate practices for achieving this goal through

24、 use of electronic signatures and of data formats that are not vulnerable to changes in presentation through malicious code. It would be welcome if these EU Member States also adopt a common policy for data objects storage, based for example on matching the policy requirements specified in the prese

25、nt document, thus facilitating the development of a EU-wide market for this kind of services. The present document is based on the findings presented in TR 102 572 i.2 and addresses policy requirements by both natural/legal persons that perform data objects storage on their own behalf as well as on

26、behalf of other natural/legal persons. ETSI ETSI TS 102 573 V2.1.1 (2012-04)51 Scope The present document specifies policy requirements applicable to Trusted Service Providers (TSP) that electronically sign and/or store data objects on behalf of their customers. These policy requirements may also be

27、 complied with by persons that store data objects on their own. The present document aims to address regulatory requirements to produce and reliably keep, even indefinitely, electronic data objects, where applicable also signed. The practices identified in the present document are independent of the

28、 type of data object being preserved, although peculiar requirements for fiscally relevant ones are also specified. The present document is directed at policies involving the use of the Advanced Electronic Signatures or Qualified Electronic Signatures. The primary aim of the application of signature

29、s is to assure the integrity and the authenticity of origin of data objects in communication and storage. However, signatures may also be used, where required, to provide content commitment (i.e. non-repudiation). The present document addresses solely the Advanced Electronic Signature based solution

30、s. It is recognized that other suitable measures, not employing Advanced Electronic Signatures, and hence that are outside the scope of the present document, may be applied to assure the authenticity and integrity of digital data objects. It should be noted that the reliability of such alternative m

31、easures generally depend on the trustworthiness of the organization, on the exhaustiveness of the adopted practices and procedures and may require independent assessment of the technical and organizational measures applied. Advanced Electronic Signatures may be used to augment existing measures to p

32、rovide even higher security, or to reduce the need for other controls. This fits particularly art. 233 of EU VAT Directive 2006/112/EC 9 as amended by 2010/45/EU. The present document may be used by competent independent bodies as the basis for confirming that an organization is trustworthy in issui

33、ng and storing signed electronic data object on behalf of other persons or on its own behalf. The present document does not specify how the requirements identified may be assessed by an independent party, including requirements for data object to be made available to such independent assessors, or r

34、equirements on such assessors. Within the present document the key words “should“ indicates that there may exist valid reasons in particular circumstances to ignore a particular item, but the full implications need to be understood and carefully weighed before choosing a different course. Guidance o

35、n implementing a trustworthy Data object Preservation System can be found in TS 101 533-1 i.3. Guidance on assessing Data object Preservation Systems can be found in TR 101 533-2 i.4. 2 References References are either specific (identified by date of publication and/or edition number or version numb

36、er) or non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the reference document (including any amendments) applies. Referenced documents which are not found to be publicly available in the expected location might be found at htt

37、p:/docbox.etsi.org/Reference. NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee their long term validity. 2.1 Normative references The following referenced documents are necessary for the application of the present document. 1 CEN CWA 141

38、69: “Secure signature-creation devices “EAL 4+“. NOTE: http:/www.cenorm.be/catweb/35.040.htm. ETSI ETSI TS 102 573 V2.1.1 (2012-04)62 CEN CWA 15579: “E-invoices and digital signatures“. NOTE: http:/www.cenorm.be/isss/einv. 3 CEN CWA 15580: “Storage of Electronic Invoices“. NOTE: http:/www.cenorm.be/

39、isss/einv. 4 ISO/IEC 27002: “Information technology - Security techniques - Code of practice for information security management“. 5 ISO/IEC 27001: “Information technology - Security techniques - Information security management systems - Requirements“. 6 ISO/IEC 15408 (parts 1 to 3): “Information te

40、chnology - Security techniques - Evaluation criteria for IT security“. 7 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. 8 Directive 1999/93/EC o

41、f the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures. 9 Council Directive 2006/112/EC of 28 November 2006 on the common system of value added tax, as amended by Council Directive 2010/45/EU of 13 July 2010. 10 Council Directive 2001/115/

42、EC of 20 December 2001 amending Directive 77/388/EEC with a view to simplifying, modernising and harmonising the conditions laid down for invoicing in respect of value added tax. 11 ETSI TS 101 456: “Electronic Signatures and Infrastructures (ESI); Policy requirements for certification authorities i

43、ssuing qualified certificates“. 12 ETSI TS 102 042: “Electronic Signatures and Infrastructures (ESI); Policy requirements for certification authorities issuing public key certificates“. 13 ETSI TS 102 176-1: “Electronic Signatures and Infrastructures (ESI); Algorithms and Parameters for Secure Elect

44、ronic Signatures; Part 1: Hash functions and asymmetric algorithms“. 14 ETSI TS 102 734: “Electronic Signatures and Infrastructures; Profiles of CMS Advanced Electronic Signatures based on TS 101 733 (CAdES)“. 15 ETSI TS 102 904: “Electronic Signatures and Infrastructures; Profiles of XML Advanced E

45、lectronic Signatures based on TS 101 903 (XAdES)“. 16 ETSI TS 101 733: “Electronic Signatures and Infrastructures (ESI); CMS Advanced Electronic Signatures (CAdES)“. 17 ETSI TS 101 903: “Electronic Signatures and Infrastructures (ESI); XML Advanced Electronic Signatures (XAdES)“. 18 CEN CWA 14170: “

46、Security requirements for signature creation applications“. 19 ETSI TS 102 778: “Electronic Signatures and Infrastructures (ESI); PDF Advanced Electronic Signature Profiles“. 20 ETSI TS 102 918: “Electronic Signatures and Infrastructures (ESI); Associated Signature Containers (ASiC)“. ETSI ETSI TS 1

47、02 573 V2.1.1 (2012-04)72.2 Informative references The following referenced documents are not necessary for the application of the present document but they assist the user with regard to a particular subject area. i.1 Directive 2006/123/EC of the European Parliament and of the Council of 12 Decembe

48、r 2006 on services in the internal market. i.2 ETSI TR 102 572: “Best Practices for handling electronic signatures and signed data for digital accounting“. i.3 ETSI TS 101 533-1: “Electronic Signatures and Infrastructures (ESI); Data Preservation Systems Security; Part 1: Requirements for Implementa

49、tion and Management“. i.4 ETSI TR 101 533-2: “Electronic Signatures and Infrastructures (ESI); Data Preservation Systems Security; Part 2: Guidelines for Assessors“. 3 Definitions and abbreviations 3.1 Definitions For the purposes of the present document, the following terms and definitions apply: advanced electronic signature: electronic signature which is uniquely linked to the sender, is capable of identifying the signatory, is created using means that the signatory can maintain under his sole control,