1、 ETSI SR 019 020 V1.1.1 (2016-02) The framework for standardization of signatures; Standards for AdES digital signatures in mobile and distributed environment SPECIAL REPORT ETSI ETSI SR 019 020 V1.1.1 (2016-02) 2 Reference DSR/ESI-0019020 Keywords e-commerce, electronic signature, mobile, security
2、ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but non lucratif enregistre la Sous-Prfecture de Grasse (06) N 7803/88 Important notice The present document can be downloaded from: ht
3、tp:/www.etsi.org/standards-search The present document may be made available in electronic versions and/or in print. The content of any electronic and/or print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any existing or perceived
4、 difference in contents between such versions and/or in print, the only prevailing document is the print of the Portable Document Format (PDF) version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision
5、or change of status. Information on the current status of this and other ETSI documents is available at http:/portal.etsi.org/tb/status/status.asp If you find errors in the present document, please send your comment to one of the following services: https:/portal.etsi.org/People/CommiteeSupportStaff
6、.aspx Copyright Notification No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm except as authorized by written permission of ETSI. The content of the PDF version shall not be modified without the written authorization of
7、 ETSI. The copyright and the foregoing restriction extend to reproduction in all media. European Telecommunications Standards Institute 2016. All rights reserved. DECTTM, PLUGTESTSTM, UMTSTMand the ETSI logo are Trade Marks of ETSI registered for the benefit of its Members. 3GPPTM and LTE are Trade
8、Marks of ETSI registered for the benefit of its Members and of the 3GPP Organizational Partners. GSM and the GSM logo are Trade Marks registered and owned by the GSM Association. ETSI ETSI SR 019 020 V1.1.1 (2016-02) 3 Contents Intellectual Property Rights 5g3Foreword . 5g3Modal verbs terminology 5g
9、3Introduction 5g31 Scope 7g32 References 8g32.1 Normative references . 8g32.2 Informative references 8g33 Definitions and abbreviations . 10g33.1 Definitions 10g33.2 Abbreviations . 11g34 Usage scenarios for signing 12g34.1 Introduction 12g34.2 Actors . 13g34.3 Features 13g34.4 Local signing scenari
10、os 14g34.4.1 Local signing scenarios - general introduction . 14g34.4.2 L1: Digital signature value generation in personal device 14g34.4.3 L2: Digital signature value generation in personal device with application provider / MSSP Interaction . 16g34.4.4 L3: AdES completely generated in a personal d
11、evice. 17g34.5 Server signing scenarios . 19g34.5.1 Server signing scenarios - general introduction 19g34.5.2 S1: Generation of AdES in a server 20g34.5.3 S2: Generation of AdES in a server with multi-channel . 21g35 VS: validation service scenario 23g36 Further standardization requirements . 24g36.
12、1 Requirements on protocols for signing and validation . 24g36.2 Requirements related to service life cycle management . 25g36.2.1 Use cases for life cycle of user subscription to MSSP/SSP 25g34.6 LS: Split local and server signing scenario (threshold cryptography) 26g36.2.2 Use cases for events rel
13、ated to mobile device and MNO 27g36.3 Standardization requirements and rationalized framework 27g36.4 Scope of new standards identified 28g36.4.1 Overview 28g36.4.2 ETSI TS 119 152: Architecture for digital signatures in distributed environments 29g36.4.3 CEN EN 419 241: Trustworthy Systems Supporti
14、ng Server Signing . 29g36.4.4 ETSI TS 119 431: Policy and security requirements for trust service providers providing AdES digital signature generation services . 29g36.4.5 ETSI TS 119 441: Policy and security requirements for trust service providers providing AdES digital signature validation servi
15、ces 30g36.4.6 ETSI TS 119 432: Protocol profiles for TSPs providing AdES digital signature generation services 30g36.4.7 ETSI TS 119 442: Protocol profiles for trust service providers providing AdES digital signature validation services 31g3Annex A: Most relevant standards . 32g3A.1 Introduction 32g
16、3A.2 OASIS DSS and DSS-X specifications 32g3A.2.1 Introduction 32g3A.2.2 OASIS DSS Core specification 32g3A.2.2.1 SignRequest/SignResponse protocol 32g3A.2.2.2 VerifyRequest/VerifyResponse protocol 33g3ETSI ETSI SR 019 020 V1.1.1 (2016-02) 4 A.2.3 AdES profile . 33g3A.2.3.1 Introduction. 33g3A.2.3.2
17、 SignRequest/SignResponse protocol 33g3A.2.3.3 VerifyRequest/VerifyResponse protocol 34g3A.2.4 Asynchronous profile . 34g3A.2.5 Visible signature profile . 34g3A.2.6 Local signature computation profile . 35g3A.2.7 Profile for comprehensive multi-signature verification reports 35g3A.2.8 Usability of
18、DSS profiles within the analysed scenarios 35g3A.3 ETSI M-COMM specifications 36g3A.3.1 Introduction 36g3A.3.2 Mobile signature service 36g3A.3.3 Mobile signature service - web service 37g3A.3.3.1 Introduction. 37g3A.3.3.2 MSS_Signature . 37g3A.3.3.3 MSS_Status. 37g3A.3.3.4 MSS_Receipt 37g3A.3.3.5 M
19、SS_Registration . 38g3A.3.3.6 MSS_Handshake . 38g3A.3.4 Mobile signature roaming service 38g3History 40g3ETSI ETSI SR 019 020 V1.1.1 (2016-02) 5 Intellectual Property Rights IPRs essential or potentially essential to the present document may have been declared to ETSI. The information pertaining to
20、these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found in ETSI SR 000 314: “Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in respect of ETSI standards“, which is available from the ETSI Secretariat. Lat
21、est updates are available on the ETSI Web server (https:/ipr.etsi.org/). Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI
22、Web server) which are, or may be, or may become, essential to the present document. Foreword This Special Report (SR) has been produced by ETSI Technical Committee Electronic Signatures and Infrastructures (ESI). Modal verbs terminology In the present document “shall“, “shall not“, “should“, “should
23、 not“, “may“, “need not“, “will“, “will not“, “can“ and “cannot“ are to be interpreted as described in clause 3.2 of the ETSI Drafting Rules (Verbal forms for the expression of provisions). “must“ and “must not“ are NOT allowed in ETSI deliverables except when used in direct citation. Introduction E
24、lectronic commerce has emerged as a common way of doing business. Trust in this way of doing business is essential for the success and continued development of electronic commerce. It is, therefore, important that companies using electronic means of doing business have suitable security controls and
25、 mechanisms in place to protect their transactions and to ensure trust and confidence with their business partners. In this respect the digital signature is an important security component that can be used to protect information and provide trust in electronic business. ETSI EN 319 102-1 i.19 define
26、s processes for creation and validation of AdES digital signatures such as specified in ETSI EN 319 122 i.2, ETSI EN 319 132 i.3, ETSI EN 319 142 i.4 or ETSI EN 319 162 i.6. Most standards for such digital signatures implicitly assume that all steps of these processes are carried out in one IT-syste
27、m, e.g. by use of a signing device interfaced to a personal computer system local to the user. However, market solutions exist for digital signature creation and validation supported by remote systems accessed through a mobile or conventional network; the process steps devised by ETSI EN 319 102-1 i
28、.19 are partly carried out locally to the user and partly by these remote systems. In particular, such server-assisted signing/validation is used with mobile, and other personal devices that increasingly contribute to many aspects of the users everyday life. ETSI has previously published a set of st
29、andards for mobile commerce (M-COMM i.9, i.10, i.11 and i.12) supporting digital signatures created on a personal device supported by remote networked services and communicating over mobile networks. Moreover, OASIS has developed the standard DSS (Digital Signature Standard i.8, i.30, i.33 and i.34)
30、 for use of remote digital signature services, and this is applicable for use from mobile or other personal computing devices. The present document considers scenarios for server-assisted signing/validation, in mobile and other distributed computing environments, based on a number of solutions avail
31、able in the market. The report identifies requirements for further standardization, building on the existing M-COMM and OASIS DSS standards, considering both requirements for security assurance as well as interoperability. For security assurance, standards such as CEN TS 419 241 i.15 is also conside
32、red. The present document particularly considers standardization requirements for scenarios involving assistance of remote services supporting: a) Local signing use cases where the signing key is held with the signers personal device; ETSI ETSI SR 019 020 V1.1.1 (2016-02) 6 b) Server signing use cas
33、es where the signing key is held in a shared server; c) Validation of signatures where the digital signature is verified supported by a remote server. Where all the signing / signature functionality is carried out within a personal device and does not require any assistance of remote servers then ex
34、isting standards for signing are considered appropriate and hence such cases are not considered in the present document. As it is considered that many of the cases described in the present document are similar to use of other personal devices such as laptop and personal computers the analysis takes
35、into account the possibility of applying the same standard to any personal device not just mobile devices. ETSI ETSI SR 019 020 V1.1.1 (2016-02) 7 1 Scope The present document provides a framework for further standardization for the creation and validation of AdES digital signatures, such as specifi
36、ed in ETSI EN 319 122 i.2, ETSI EN 319 132 i.3, ETSI EN 319 142 i.4 or ETSI EN 319 162 i.6, in mobile and distributed environments assisted by remote servers. The present document takes into account that the capabilities of personal devices will continue to evolve and is likely to increasingly overl
37、ap with the capabilities of other computing devices. The present document identifies the recommended scope of such standards and any suggested provision thought appropriate to these standards. The standards framework in the present document is based on an analysis of scenarios commonly known to be i
38、n use or of potential interest. A classification scheme based on that used in ETSI TR 119 000 i.1 is used to classify the standardization requirements based on the analysis of common scenarios. The present document does not address standardization for mobile environments where the whole signature cr
39、eation and/or validation process is carried out within the personal device. Whilst considered important to the market, this generally does not involve external interfaces which require further standardization beyond that already supported using existing standards within ETSI TR 119 000 i.1. The pres
40、ent document does not directly address specific requirements for mobile access to other supporting trust services such as time-stamping, revocation status or directory services as it is considered that these would either be addressed by signature creation or validation services, or that a personal d
41、evice has the capabilities to address these services directly by use of existing standards within ETSI TR 119 000 i.1. The present document particularly considers standardization requirements for scenarios involving assistance of remote services supporting: a) Local signing use cases where the signi
42、ng key is held with the signers personal device. b) Server signing use cases where the signing key is held in a shared server. c) Validation of signatures where the digital signature is verified supported by a remote server. The present document does not include an analysis of the security risks nor
43、 identification of specific security requirements for AdES digital signatures in mobile and distributed environments; security requirements are addressed in CEN TS 419 241 i.15. It rather addresses the requirements for standards supporting the distribution of the functionality related to creation an
44、d validation of AdES digital signature between distributed system elements. The present document is limited to AdES digital signatures supported by PKI and public key certificates, including use of secure signing devices such as qualified electronic signature (and seal) creation devices as defined i
45、n Regulation (EU) No 910/2014 i.5, and aims to meet the general requirements of the international community to provide trust and confidence in electronic transactions, including, amongst other, applicable requirements from Regulation (EU) No 910/2014 i.5.Whilst scenarios may be applicable to electro
46、nic seals, the present document concentrates on the use of services in support of digital signatures for natural persons or natural persons associated with legal persons. The present document takes into account existing standards and publicly available specifications in the current framework for dig
47、ital signature standardization ETSI TR 119 000 i.1. ETSI ETSI SR 019 020 V1.1.1 (2016-02) 8 2 References 2.1 Normative references References are either specific (identified by date of publication and/or edition number or version number) or non-specific. For specific references, only the cited versio
48、n applies. For non-specific references, the latest version of the referenced document (including any amendments) applies. Referenced documents which are not found to be publicly available in the expected location might be found at http:/docbox.etsi.org/Reference. NOTE: While any hyperlinks included
49、in this clause were valid at the time of publication ETSI cannot guarantee their long term validity. The following referenced documents are necessary for the application of the present document. Not applicable. 2.2 Informative references References are either specific (identified by date of publication and/or edition number or version number) or non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the referenced document (including any amendments) applie