1、 ETSI SR 001 604 V1.1.1 (2012-07) Rationalised Framework for Electronic Signature Standardisation floppy3Special Report ETSI ETSI SR 001 604 V1.1.1 (2012-07) 2Reference DSR/ESI-000099 Keywords e-commerce, electronic signature, security CEN ETSI Avenue Marnix 17 650 Route des Lucioles B-1000 Brussels
2、 - BELGIUM F-06921 Sophia Antipolis Cedex - FRANCETel: + 32 2 550 08 11 Tel.: +33 4 92 94 42 00 Fax: + 32 2 550 08 19 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but non lucratif enregistre la Sous-Prfecture de Grasse (06) N 7803/88 Important notice Individual copies of
3、the present document can be downloaded from: http:/www.etsi.org The present document may be made available in more than one electronic version or in print. In any case of existing or perceived difference in contents between such versions, the reference version is the Portable Document Format (PDF).
4、In case of dispute, the reference shall be the printing on ETSI printers of the PDF version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current status of t
5、his and other ETSI documents is available at http:/portal.etsi.org/tb/status/status.asp If you find errors in the present document, please send your comment to one of the following services: http:/portal.etsi.org/chaircor/ETSI_support.asp Copyright Notification No part may be reproduced except as au
6、thorized by written permission. The copyright and the foregoing restriction extend to reproduction in all media. European Telecommunications Standards Institute 2012. All rights reserved. DECTTM, PLUGTESTSTM, UMTSTMand the ETSI logo are Trade Marks of ETSI registered for the benefit of its Members.
7、3GPPTM and LTE are Trade Marks of ETSI registered for the benefit of its Members and of the 3GPP Organizational Partners. GSM and the GSM logo are Trade Marks registered and owned by the GSM Association. ETSI ETSI SR 001 604 V1.1.1 (2012-07) 3Contents Intellectual Property Rights 5g3Foreword . 5g3In
8、troduction 5g31 Scope 6g32 References 6g32.1 Normative references . 6g32.2 Informative references 6g33 Definitions and abbreviations . 7g33.1 Definitions 7g33.2 Abbreviations . 10g34 Inventory 11g35 Rationalised Structure for Electronic Signature Standardisation Documents 12g35.1 Introduction 12g35.
9、1.1 Objectives of the rationalised structure . 12g35.1.2 Approach 12g35.2 Electronic Signature Standardisation Classification Scheme . 13g35.2.1 Functional Areas . 13g35.2.2 Document Types. 15g35.2.3 Rationalised structure with Sub-Areas 16g35.2.4 Numbering Scheme. 17g35.2.5 Possible Extension of Cl
10、assification Scheme to incorporate Identification, Authentication and Signature Standards 18g35.3 Rationalised structure by Area . 19g35.3.1 Generic 19g35.3.2 Signature Creation Essential, or potentially Essential, IPRs notified to ETSI in respect of ETSI standards“, which is available from the ETSI
11、 Secretariat. Latest updates are available on the ETSI Web server (http:/ipr.etsi.org). Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updat
12、es on the ETSI Web server) which are, or may be, or may become, essential to the present document. Foreword This Special Report (SR) has been produced by ETSI Technical Committee Electronic Signatures and Infrastructures (ESI) and CEN Technical Committee TC 224. Introduction As a response to the ado
13、ption of Directive 1999/93/EC i.1 on a Community framework for electronic signatures in 1999, and in order to facilitate the use and the interoperability of eSignature based solution, the European Electronic Signature Standardization Initiative (EESSI) was set up to coordinate the European standardi
14、zation organisations CEN and ETSI in developing a number of standards for eSignature products. Commission Decision 2003/511/EC i.2, on generally recognised standards for electronic signature products, was adopted by the Commission following the results of the EESSI. This decision fostered the use of
15、 eSignature by publishing “generally recognised standards“ for electronic signature products in compliance with article 3(5) of the Directive but has a limited impact on the mapping of the current state of the European standardisation on eSignatures, which also covers ancillary services to eSignatur
16、e, and the legal provisions and requirements laid down in Directive 1999/93/EC i.1. Emerging cross-border use of eSignatures and the increasing use of several market instruments (e.g. Services Directive i.3, Public Procurement i.4 and i.5, eInvoicing i.6) that rely in their functioning on eSignature
17、s and the framework set by the Signature Directive emphasized problems with the mutual recognition and cross-border interoperability of eSignature. Intending to address the legal, technical and standardisation related causes of these problems, the Commission launched a study on the standardisation a
18、spects of eSignature i.7 which concluded that the current multiplicity of standardization deliverables together with the lack of usage guidelines, the difficulty of access and lack of business orientation is detrimental to the interoperability of eSignature, and formulated a number of recommendation
19、s to mitigate this. Also due to the fact that many of the documents have yet to be progressed to full European Norms (ENs), their status may be considered to be uncertain. The Commission also launched the CROBIES study i.8 to investigate solutions addressing some specific issues regarding profiles o
20、f secure signature creation devices, supervision practices as well as common formats for trusted lists, qualified certificates and signatures. In line with Standardisation Mandate 460 i.9, consequently issued by the Commission to CEN, CENELEC and ETSI for updating the existing eSignature standardisa
21、tion deliverables, CEN and ETSI have set up the eSignature Coordination Group in order to coordinate the activities achieved for Mandate 460. One of the first tasks in the current document establishes a rationalised framework to overcome these issues within the context of the Signature Directive, ta
22、king into account possible revisions to this Directive, and proposes a future work programme to address any elements identified as missing in this rationalise framework. The following web site was set up in the framework in Mandate 460: http:/www.e-signatures-standards.eu/. ETSI ETSI SR 001 604 V1.1
23、.1 (2012-07) 61 Scope The present document establishes a rationalised framework for electronic signature (eSignature) standardisation within the context of the current Electronic Signatures Directive and its possible revision. It provides: a) An inventory of existing electronic signature standardisa
24、tion. b) A target rationalised structure for future European eSignatures standardisation documents. c) The results of an existing versus target gap analysis with an assessment of the existing eSignatures standardisation documents. d) The proposed future work plan for filling the gaps in electronic s
25、ignature standardisation identified through the analysis. 2 References References are either specific (identified by date of publication and/or edition number or version number) or non-specific. For specific references, only the cited version applies. For non-specific references, the latest version
26、of the referenced document (including any amendments) applies. Referenced documents which are not found to be publicly available in the expected location might be found at http:/docbox.etsi.org/Reference. NOTE: While any hyperlinks included in this clause were valid at the time of publication ETSI c
27、annot guarantee their long term validity. 2.1 Normative references The following referenced documents are necessary for the application of the present document. Not applicable. 2.2 Informative references The following referenced documents are not necessary for the application of the present document
28、 but they assist the user with regard to a particular subject area. i.1 Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures. i.2 Commission Decision 2003/511/EC of 14.7.2003 on the publication of reference numbers
29、of generally recognised standards for electronic signature products in accordance with Directive 1999/93/EC of the European Parliament and of the Council. i.3 Directive 1998/34/EC of the European Parliament and the Council of 22.6.1998 laying down a procedure for the provision of information in the
30、field of technical standards and regulations and of rules on Information Society services. i.4 Directive 2004/18/EC of the European Parliament and Council of 31.3.04 on the coordination of procedures for the award of public works contracts, public supply contracts and public service contracts. i.5 D
31、irective 2004/17/EC of the European Parliament and Council of 31.3.04 coordinating the procurement procedures of entities operating in the water, energy, transport and postal services sectors. i.6 Council Directive 2006/112/EC of 28.11.06 on the common system of value added tax. ETSI ETSI SR 001 604
32、 V1.1.1 (2012-07) 7i.7 “Study on the standardisation aspects of e-signatures“, SEALED, DLA Piper et al, 2007. NOTE: Available at: http:/ec.europa.eu/information_society/policy/esignature/docs/standardisation/report_esign_standard.pdf i.8 “CROBIES: Study onCross-Border Interoperability of eSignatures
33、“, Siemens, SEALED and TimeLex, 2010. NOTE: Available at: http:/ec.europa.eu/information_society/policy/esignature/crobies_study/index_en.htm i.9 Mandate M460: “Standardisation Mandate to the European Standardisation Organisations CEN, CENELEC and ETSI in the Field of Information and Communication T
34、echnologies Applied to Electronic Signatures“. i.10 ISO/IEC 27000: “Information technology - Security techniques - Information security management systems - Overview and vocabulary“. i.11 IETF RFC 3647: “Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framewor
35、k“. i.12 W3C Recommendation: “XML Signature Syntax and Processing (Second Edition)“, 10 June 2008. i.13 ISO 32000-1: “Document management - Portable document format - Part 1: PDF 1.7“. i.14 Commission Decision 2011/130/EU of 25 February 2011 establishing minimum requirements for the cross-border pro
36、cessing of documents signed electronically by competent authorities under Directive 2006/123/EC of the European Parliament and of the Council on services in the internal market. i.15 Directive 2006/123/EC of the European Parliament and of the Council of 12 December 2006 on services in the internal m
37、arket. i.16 IETF RFC 3161 (August 2001): “Internet X.509 Public Key Infrastructure Time-Stamp Protocol“. i.17 CCMB-2006-09-001: “Common Criteria for Information Technology Security Evaluation, Part 1: Introduction and General Model; Version 3.1, Revision 3“, July 2009. i.18 ITU-T Recommendation X.50
38、9/ISO/IEC 9594-8: “Information technology - Open Systems Interconnection - The Directory: Public-key and attribute certificate frameworks“. i.19 Commission Decision 2009/767/EC of 16 October 2009 setting out measures facilitating the use of procedures by electronic means through the points of single
39、 contact under Directive 2006/123/EC of the European Parliament and of the Council on services in the internal market. i.20 Commission Decision 2010/425/EU of 28 July 2010 amending Decision 2009/767/EC as regards the establishment, maintenance and publication of trusted lists of certification servic
40、e providers supervised/accredited by Member States. i.21 ITU-T Recommendation X.1254/ISO/IEC DIS 29115: “Information technology - Security techniques - Entity authentication assurance framework“. NOTE: A further inventory of documents relating to electronic signature is given in annex D. 3 Definitio
41、ns and abbreviations 3.1 Definitions For the purposes of the present document, the following terms and definitions taken from Directive 1999/93/EC i.1 apply: advanced electronic signature: electronic signature which meets the following requirements: a) it is uniquely linked to the signatory; ETSI ET
42、SI SR 001 604 V1.1.1 (2012-07) 8b) it is capable of identifying the signatory; c) it is created using means that the signatory can maintain under his sole control; and d) it is linked to the data to which it relates in such a manner that any subsequent change of the data is detectable. certificate:
43、electronic attestation which links signature verification data to an entity or a legal or natural person and confirms the identity of that entity or legal or natural person certification service provider: entity or legal or natural person who issues certificates or provides other services related to
44、 electronic signatures NOTE: See annex A for discussion on certification service providers and Trust Service Providers. In the present document we will use the term “Trust Service Provider issuing certificates“ for designating the Trust Service Provider who issues certificates and provides related c
45、ertificate creation, assignment and life cycle management services. certificate validation: process of checking that a certificate or certificate path is valid electronic signature (eSignature): data in electronic form which are attached to or logically associated with other electronic data and whic
46、h serve as a method of authentication qualified certificate: certificate which meets the requirements laid down in Annex I of Directive 1999/93/EC i.1 and is provided by a certification service provider who fulfils the requirements laid down in Annex II of Directive 1999/93/EC i.1 qualified electron
47、ic signature: advanced electronic signature which is based on a qualified certificate and which is created by a secure signature creation device NOTE: See article 5.1 of Directive 1999/93/EC i.1. secure signature creation device: signature creation device which meets the requirements laid down in An
48、nex III of Directive 1999/93/EC i.1 signatory: person who holds a signature creation device and acts either on his own behalf or on behalf of the natural or legal person or entity he represents NOTE: Directive 1999/93/EC i.1 defines a signatory as being a “person“, which “person“ can be interpreted
49、as a natural person or a legal person when this is applicable in MS legislation. signature creation data: unique data, such as codes or private cryptographic keys, which are used by the signatory to create an electronic signature signature creation device: configured software or hardware used to implement the signature-creation data signature validation: process of checking that a signature is valid including overall checks of the signature against local or shared signature policy requirements
