ETSI TS 119 495-2018 Electronic Signatures and Infrastructures (ESI) Sector Specific Requirements Qualified Certificate Profiles and TSP Policy Requirements under the payment servi.pdf

1、 ETSI TS 119 495 V1.1.1 (2018-05) Electronic Signatures and Infrastructures (ESI); Sector Specific Requirements; Qualified Certificate Profiles and TSP Policy Requirements under the payment services Directive (EU) 2015/2366 TECHNICAL SPECIFICATION ETSI ETSI TS 119 495 V1.1.1 (2018-05)2 Reference DTS

2、/ESI-0019495 Keywords e-commerce, electronic signature, extended validation, payment, public key, security, trust services ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but non lucr

3、atif enregistre la Sous-Prfecture de Grasse (06) N 7803/88 Important notice The present document can be downloaded from: http:/www.etsi.org/standards-search The present document may be made available in electronic versions and/or in print. The content of any electronic and/or print versions of the p

4、resent document shall not be modified without the prior written authorization of ETSI. In case of any existing or perceived difference in contents between such versions and/or in print, the only prevailing document is the print of the Portable Document Format (PDF) version kept on a specific network

5、 drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current status of this and other ETSI documents is available at https:/portal.etsi.org/TB/ETSIDeliverableStatus.aspx If you find errors i

6、n the present document, please send your comment to one of the following services: https:/portal.etsi.org/People/CommiteeSupportStaff.aspx Copyright Notification No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm except a

7、s authorized by written permission of ETSI. The content of the PDF version shall not be modified without the written authorization of ETSI. The copyright and the foregoing restriction extend to reproduction in all media. ETSI 2018. All rights reserved. DECTTM, PLUGTESTSTM, UMTSTMand the ETSI logo ar

8、e trademarks of ETSI registered for the benefit of its Members. 3GPPTM and LTETMare trademarks of ETSI registered for the benefit of its Members and of the 3GPP Organizational Partners. oneM2M logo is protected for the benefit of its Members. GSMand the GSM logo are trademarks registered and owned b

9、y the GSM Association. ETSI ETSI TS 119 495 V1.1.1 (2018-05)3 Contents Intellectual Property Rights 4g3Foreword . 4g3Modal verbs terminology 4g3Introduction 4g31 Scope 5g32 References 5g32.1 Normative references . 5g32.2 Informative references 6g33 Definitions and abbreviations . 6g33.1 Definitions

10、6g33.2 Abbreviations . 6g34 General concepts 7g34.1 Use of Qualified Certificates 7g34.2 Roles . 7g34.3 Payment Service Provider Authorizations and Services Passporting . 7g34.4 Authorization Number 8g34.5 Registration and Certificate Issuance . 8g34.6 Certificate Validation and Revocation . 8g35 Ce

11、rtificate profile requirements 9g35.1 PSD2 QCStatement 9g35.2 Encoding PSD2 specific attributes . 10g35.2.1 Authorization number . 10g35.2.2 Roles of payment service provider . 10g35.2.3 Name and identifier of the competent authority . 11g35.3 Requirements for QWAC Profile . 11g35.4 Requirements for

12、 QsealC Profile 12g36 Policy requirements 12g36.1 General policy requirements. 12g36.2 Additional policy requirements 12g36.2.1 Certificate profile 12g36.2.2 Initial identity validation . 12g36.2.3 Identification and authentication for revocation requests . 12g36.2.4 Publication and repository respo

13、nsibilities . 13g36.2.5 Certificate renewal 13g36.2.6 Certificate revocation and suspension. 13g3Annex A (normative): ASN.1 Declaration . 14g3Annex B (informative): Certificates supporting PSD2 clarification of the context . 15g3History 17g3ETSI ETSI TS 119 495 V1.1.1 (2018-05)4 Intellectual Propert

14、y Rights Essential patents IPRs essential or potentially essential to normative deliverables may have been declared to ETSI. The information pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found in ETSI SR 000 314: “Intellectual Property

15、 Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in respect of ETSI standards“, which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web server (https:/ipr.etsi.org/). Pursuant to the ETSI IPR Policy, no investigation, including IPR searche

16、s, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web server) which are, or may be, or may become, essential to the present document. Trademarks The present document may include trademarks and/or

17、 tradenames which are asserted and/or registered by their owners. ETSI claims no ownership of these except for any which are indicated as being the property of ETSI, and conveys no right to use or reproduce any trademark and/or tradename. Mention of those trademarks in the present document does not

18、constitute an endorsement by ETSI of products, services or organizations associated with those trademarks. Foreword This Technical Specification (TS) has been produced by ETSI Technical Committee Electronic Signatures and Infrastructures (ESI). Modal verbs terminology In the present document “shall“

19、, “shall not“, “should“, “should not“, “may“, “need not“, “will“, “will not“, “can“ and “cannot“ are to be interpreted as described in clause 3.2 of the ETSI Drafting Rules (Verbal forms for the expression of provisions). “must“ and “must not“ are NOT allowed in ETSI deliverables except when used in

20、 direct citation. Introduction Regulation (EU) No 910/2014 i.1 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (commonly called eIDAS) defines requireme

21、nts on specific types of certificates named “qualified certificates“. Directive (EU) 2015/2366 i.2 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010

22、, and repealing Directive 2007/64/EC (commonly called PSD2) defines requirements on communication among payment service providers and account servicing institutions. The Commission Delegated Regulation with regard to Regulatory Technical Standards on strong customer authentication and secure communi

23、cation (RTS henceforth) i.3 is key to achieving the objective of the PSD2 (Directive (EU) 2015/2366 i.2) of enhancing consumer protection, promoting innovation and improving the security of payment services across the European Union. The RTS defines requirements on the use of qualified certificates

24、(as defined in eIDAS) for website authentication and qualified certificates for electronic seal for communication among payment and bank account information institutions. The present document defines a standard for implementing the requirements of the RTS i.3 for use of qualified certificates as def

25、ined in eIDAS (Regulation (EU) No 910/2014 i.1) to meet the regulatory requirements of PSD2 (Directive (EU) 2015/2366 i.2). ETSI ETSI TS 119 495 V1.1.1 (2018-05)5 1 Scope The present document: 1) Specifies profiles of qualified certificates for electronic seals and website authentication, to be used

26、 by payment service providers in order to meet the requirements of the PSD2 Regulatory Technical Standards (RTS) i.3. Certificates for electronic seals can be used for providing evidence with legal assumption of authenticity (including identification and authentication of the source) and integrity o

27、f a transaction. Certificates for website authentication can be used for identification and authentication of the communicating parties and securing communications. Communicating parties can be payment initiation service providers, account information service providers, payment service providers iss

28、uing card-based payment instruments or account servicing payment service providers. These profiles are based on ETSI EN 319 412-1 1, ETSI EN 319 412-3 2, ETSI EN 319 412-4 3, IETF RFC 3739 6 and ETSI EN 319 412-5 i.6 (by indirect reference). 2) Specifies additional TSP policy requirements for the ma

29、nagement (including verification and revocation) of additional certificate attributes as required by the above profiles. These policy requirements extend the requirements in ETSI EN 319 411-2 4. 2 References 2.1 Normative references References are either specific (identified by date of publication a

30、nd/or edition number or version number) or non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the referenced document (including any amendments) applies. Referenced documents which are not found to be publicly available in the ex

31、pected location might be found at https:/docbox.etsi.org/Reference/. NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee their long term validity. The following referenced documents are necessary for the application of the present document.

32、 1 ETSI EN 319 412-1: “Electronic Signatures and Infrastructures (ESI); Certificate Profiles; Part 1: Overview and common data structures“. 2 ETSI EN 319 412-3: “Electronic Signatures and Infrastructures (ESI); Certificate Profiles; Part 3: Certificate profile for certificates issued to legal person

33、s“. 3 ETSI EN 319 412-4: “Electronic Signatures and Infrastructures (ESI); Certificate Profiles; Part 4: Certificate profile for web site certificates“. 4 ETSI EN 319 411-2: “Electronic Signatures and Infrastructures (ESI); Policy and security requirements for Trust Service Providers issuing certifi

34、cates; Part 2: Requirements for trust service providers issuing EU qualified certificates“. 5 Recommendation ITU-T X.680-X.699: “Information technology - Abstract Syntax Notation One (ASN.1)“. 6 IETF RFC 3739: “Internet X.509 Public Key Infrastructure: Qualified Certificates Profile“. 7 ISO 3166: “C

35、odes for the representation of names of countries and their subdivisions“. ETSI ETSI TS 119 495 V1.1.1 (2018-05)6 2.2 Informative references References are either specific (identified by date of publication and/or edition number or version number) or non-specific. For specific references, only the c

36、ited version applies. For non-specific references, the latest version of the referenced document (including any amendments) applies. NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee their long term validity. The following referenced docu

37、ments are not necessary for the application of the present document but they assist the user with regard to a particular subject area. i.1 Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transact

38、ions in the internal market and repealing Directive 1999/93/EC. i.2 Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and

39、repealing Directive 2007/64/EC. i.3 Commission Delegated Regulation (EU) 2018/389 of 27 November 2017 supplementing Directive (EU) 2015/2366 of the European Parliament and of the Council with regard to regulatory technical standards for strong customer authentication and common and secure open stand

40、ards of communication (Text with EEA relevance). i.4 Directive 2013/36/EU of the European Parliament and of the Council of 26 June 2013 on access to the activity of credit institutions and the prudential supervision of credit institutions and investment firms, amending Directive 2002/87/EC and repea

41、ling Directives 2006/48/EC and 2006/49/EC. i.5 IETF RFC 5246: “The Transport Layer Security (TLS) Protocol Version 1.2“. i.6 ETSI EN 319 412-5: “Electronic Signatures and Infrastructures (ESI); Certificate Profiles; Part 5: QCStatements“. i.7 IETF RFC 5280: “Internet X.509 Public Key Infrastructure

42、Certificate and Certificate Revocation List (CRL) Profile“. i.8 CA/Browser Forum: “Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates“. 3 Definitions and abbreviations 3.1 Definitions For the purposes of the present document, the terms and definitions given in PSD

43、2 i.2, ETSI EN 319 412-1 1 and ETSI EN 319 411-2 4 apply. 3.2 Abbreviations For the purposes of the present document, the abbreviations given in ETSI EN 319 412-1 1, ETSI EN 319 411-2 4 and the following apply: CRL Certificate Revocation List NCA National Competent Authority OCSP Online Certificate

44、Status Protocol PSD2 Payment Services Directive 2 NOTE: See Directive (EU) 2015/2366 i.2. ETSI ETSI TS 119 495 V1.1.1 (2018-05)7 PSP Payment Service Provider PSP_AI Account Information Service Provider PSP_AS Account Servicing Payment Service Provider PSP_IC Payment Service Provider Issuing Card-bas

45、ed payment instruments PSP_PI Payment Initiation Service Provider QSealC Qualified electronic Seal Certificate QWAC Qualified Website Authentication Certificate RTS Regulatory Technical Standards NOTE: See Regulation 2018/389 i.3. 4 General concepts 4.1 Use of Qualified Certificates RTS i.3 Article

46、34.1 requires that, for the purpose of identification, payment service providers rely on qualified certificates for electronic seals or qualified certificates for website authentication. A website authentication certificate makes it possible to establish a Transport Layer Security (TLS) channel with

47、 the subject of the certificate, which guarantees confidentiality, integrity and authenticity of all data transferred through the channel. A certificate for electronic seals allows the relying party to validate the identity of the subject of the certificate, as well as the authenticity and integrity

48、 of the sealed data, and also prove it to third parties. The electronic seal provides strong evidence, capable of having legal effect, that given data is originated by the legal entity identified in the certificate. NOTE: Regulation (EU) No 910/2014 i.1 requires that TSPs issuing qualified certifica

49、tes demonstrate that they meet the requirements for qualified trust service providers as per the regulation. ETSI standards referenced in the present document include those aimed at meeting these requirements. Granting a “qualified“ status to a TSP is the decision of the national supervisory body. 4.2 Roles Accordingto RTS i.3 the role of the payment service provider can be one or more of the following: i) account servicing (PSP_AS); ii) payment initiation (PSP_PI); iii) account information (PSP_AI