1、 ETSI TR 102 040 V1.3.1 (2005-03)Technical Report Electronic Signatures and Infrastructures (ESI);International Harmonizationof Policy Requirements for CAs issuing CertificatesETSI ETSI TR 102 040 V1.3.1 (2005-03) 2 Reference RTR/ESI-000027 Keywords e-commerce, electronic signature, public key, secu
2、rity, trust services ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but non lucratif enregistre la Sous-Prfecture de Grasse (06) N 7803/88 Important notice Individual copies of the p
3、resent document can be downloaded from: http:/www.etsi.org The present document may be made available in more than one electronic version or in print. In any case of existing or perceived difference in contents between such versions, the reference version is the Portable Document Format (PDF). In ca
4、se of dispute, the reference shall be the printing on ETSI printers of the PDF version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current status of this a
5、nd other ETSI documents is available at http:/portal.etsi.org/tb/status/status.asp If you find errors in the present document, please send your comment to one of the following services: http:/portal.etsi.org/chaircor/ETSI_support.asp Copyright Notification No part may be reproduced except as authori
6、zed by written permission. The copyright and the foregoing restriction extend to reproduction in all media. European Telecommunications Standards Institute 2005. All rights reserved. DECTTM, PLUGTESTSTM and UMTSTM are Trade Marks of ETSI registered for the benefit of its Members. TIPHONTMand the TIP
7、HON logo are Trade Marks currently being registered by ETSI for the benefit of its Members. 3GPPTM is a Trade Mark of ETSI registered for the benefit of its Members and of the 3GPP Organizational Partners. ETSI ETSI TR 102 040 V1.3.1 (2005-03) 3 Contents Intellectual Property Rights4 Foreword.4 1 Sc
8、ope 5 2 References 5 3 Definitions and abbreviations.6 3.1 Definitions6 3.2 Abbreviations .6 4 Objective 7 5 Relevant activities 7 5.1 Introduction 7 5.2 IETF PKIX policy and practices framework7 5.3 ABA PKI assessment guidelines 7 5.4 US Federal PKI 8 5.5 APEC TEL eSTG .8 5.6 ANSI X9.79 - PKI polic
9、y and practices framework.9 5.7 ISO TC68 - PKI policy and practices framework 9 5.8 OECD.9 6 Recommendations 9 Annex A: Letter from US on Mapping to US Federal PKI11 History 13 ETSI ETSI TR 102 040 V1.3.1 (2005-03) 4 Intellectual Property Rights IPRs essential or potentially essential to the present
10、 document may have been declared to ETSI. The information pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found in ETSI SR 000 314: “Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in respe
11、ct of ETSI standards“, which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web server (http:/webapp.etsi.org/IPR/home.asp). Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee can be given as to the
12、existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web server) which are, or may be, or may become, essential to the present document. Foreword This Technical Report (TR) has been produced by ETSI Technical Committee Electronic Signatures and Infrastructures (ESI).
13、 ETSI ETSI TR 102 040 V1.3.1 (2005-03) 5 1 Scope The present document presents the results of ongoing work to harmonize existing ETSI Technical Specification (TS) on policy requirements for certification authorities (TS 101 456 1 and TS 102 042 2) with other internationally recognized standards and
14、related activities. The aim of the present document is to identify the way forward to meet the requirements of European Electronic Signature Directive 1999/93/EC 6 whilst operating within an internationally harmonized certificate policy framework to facilitate cross recognition between PKI policy en
15、vironments. 2 References For the purposes of this Technical Report (TR) the following references apply: 1 ETSI TS 101 456: “Policy requirements for certification authorities issuing qualified certificates“. 2 ETSI TS 102 042: “Policy requirements for certification authorities issuing public key cert
16、ificates“. 3 IETF RFC 2527: “Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework“. NOTE: Obsoleted by RFC 3647 4. 4 IETF RFC 3647: “Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework“. NOTE: Obsoletes RFC 25
17、27 3. 5 ISO/IEC 14516: “Information technology - Security techniques - Guidelines for the use and management of Trusted Third Party services“. 6 Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures. 7 American Bar A
18、ssociation: “PKI Assessment Guidelines (PAG)“. 8 ANSI X9.79: “Financial Services Public Key Infrastructure (PKI) Policy and Practices Framework“. 9 ISO/DIS 21188: “Public key infrastructure for financial services - Practices and policy framework“. 10 CEN CWA 14172-1: “EESSI Conformity Assessment Gui
19、dance Part 1 - General“. 11 CEN CWA 14172-2: “EESSI Conformity Assessment Guidance - Part 2: Certification Authority services and processes“. 12 ITU-T Recommendation X.509 (2000) | ISO/IEC 9594-8 (2001): “Information technology - Open Systems Interconnection - The Directory: Public-key and attribute
20、 certificate frameworks“. 13 CEN CWA 14167-1: “Security Requirements for Trustworthy Systems Managing Certificates for Electronic Signatures - Part 1: System Security Requirements“. 14 ISO 15782-1: “Certificate management for financial services - Part 1: Public key certificates“. ETSI ETSI TR 102 04
21、0 V1.3.1 (2005-03) 6 3 Definitions and abbreviations 3.1 Definitions For the purposes of the present document, the following terms and definitions apply: certificate: public key of a user, together with some other information, rendered un-forgeable by encipherment with the private key of the certifi
22、cation authority which issued it NOTE: See ITU-T Recommendation X.509 | ISO/IEC 9594-8 12. certificate policy: named set of rules that indicates the applicability of a certificate to a particular community and/or class of application with common security requirements NOTE: See ITU-T Recommendation X
23、.509 | ISO/IEC 9594-8 12. certification authority: authority trusted by one or more users to create and assign certificates NOTE: See ITU-T Recommendation X.509 | ISO/IEC 9594-8 12. certification practice statement: statement of the practices which a certification authority employs in issuing certif
24、icates NOTE: See RFC 3647 4. 3.2 Abbreviations For the purposes of the present document, the following abbreviations apply: ABA American Bar Association AICPA American Institute of Certified Public Accountants ANSI American National Standards Institute APEC Asia-Pacific Economic Community CA Certifi
25、cation Authority CEN Comit Europen de Normalisation CICA Canadian Institute of Chartered Accountants EESSI European Electronic Signature Standardization Initiative eSTG eSecurity Task Group FPKI Federal Public Key Infrastructure IETF Internet Engineering Task Force ISC Information Security Committee
26、 ISO International Organization for Standardization ISSS Information Society Standardisation System PAG PKI Assessment Guidelines NOTE: Document published by the American Bar Association 7. PKI Public Key Infrastructure PKIX Public Key Infrastructure X.509 based QCP Qualified Certificate Policy NOTE
27、: Policy defined in TS 101 456 1. WPISP Working Party on Information Security and Privacy ETSI ETSI TR 102 040 V1.3.1 (2005-03) 7 4 Objective The major objective of the present document on international certificate policy harmonization is achieving harmonization between other internationally recogni
28、zed policies and other policy requirements which are not constrained by the European legal framework, on the one side with, on the other side, CA policy requirements which meet the requirements of European electronic signature Directive 1999/93/EC 6. Thus, the main aim of harmonization is: to ensure
29、 that European CAs, both operating within the framework of European Directive and more generally, have at least equal recognition in the wider international marketplace; to ensure that certification systems accredited under the internationally recognized standards may also be able to meet the securi
30、ty and management requirements of the European approval (termed accreditation in European electronic signature Directive 1999/93/EC 6) schemes/frameworks. In order to achieve these objectives it is also important that there is a simple relationship between the structure and requirements of ETSI docu
31、ments and other internationally recognized standards. 5 Relevant activities 5.1 Introduction There are a wide range of activities relating to certificate policies and practices which have some international relevance. This clause does not aim to provide a comprehensive list of relevant activities; r
32、ather it identifies those which are most closely related to TS 101 456 1 (referred to in the present document as the ETSI QCP) and TS 102 042 2 and hence have aspects that are already aligned with these ETSI specifications. 5.2 IETF PKIX policy and practices framework The Internet Engineering Task F
33、orce (IETF) Public Key Infrastructure X.509 (PKIX) working group published in March 1999 a Certificate Policies and Certification Practices Framework - RFC 2527 3. This provides a structure for the specification of certificate policies and certification practice statements. RFC 2527 3 has been revis
34、ed by the IETF as RFC 3647 4. Whilst the technical changes in RFC 3647 4 are described as minimal, the recommended structure of PKI policy and practice statements have significantly changed with some sections, such as obligations, being spread across several different parts of the document. RFC 3647
35、 4 was released in November 2003. This is now starting to be used instead of RFC 2527 3 including adoption of the basis of ongoing work in the Federal PKI and APEC. The new release of the ETSI Qualified Certificate Policy TS 101 456 1 also uses this as its main reference instead of RFC 2527 3. Howev
36、er, RFC 2527 3 is still remains important basis for many existing PKI infrastructures. The ETSI QCP was developed around the concepts specified in RFC 2527 3 and RFC 3647 4, and a mapping to the provisions required in both documents are specified in an annex to TS 101 456 1. Most of the internationa
37、l certificate policy and accreditation schemes considered in this technical report are based around RFC 2527 3 or RFC 3647 4. Thus TS 101 456 1 provides a useful basis for work on international harmonization. 5.3 ABA PKI assessment guidelines The American Bar Association (ABA) Information Security C
38、ommittee (ISC) has produced guidelines for the assessment of a public key infrastructure called the PKI Assessment Guidelines (PAG) 7. The PAG provides general guidance particularly from the legal perspective. However, as a general guide the PAG does not identify specific requirements as necessary f
39、or a certificate policy. The PAG includes only a small amount of guidance regarding European legislation with a small amount of information on the Electronic Signature Directive 1999/93/EC 6. The PAG was published in 2003. ETSI ETSI TR 102 040 V1.3.1 (2005-03) 8 5.4 US Federal PKI The United States
40、federal government has established PKI infrastructure to support inter-departmental and inter-governmental security called the Federal PKI (FPKI). This is based around a Bridge CA which supports mapping between approved PKI domains. The approval is based around a “Federal Bridge CA Certificate Polic
41、y“ against which other PKI domain Certificate Policies may be mapped. The US FPKI executive and members of the ETSI ESI committee have worked together to develop a policy mapping document. This FPKI / ETSI QCP mapping document analyses elements of the two policies based upon the RFC 2527 3 framework
42、. This document has been finalized and on July 7 2004 the US General Services Administration - Office of Government-wide Policy made it official that the ETSI QCP (see annex A): “is fundamentally comparable to the USPKI Federal Bridge Certification Authority (FBCA) Certificate Policy at the medium a
43、ssurance level. The result is that Qualified certificates issued by Certification Authorities (CAs) established in European Member States, and which are compliant with the associated EESSI standards published by ETSI and Comit Europen de Normalisation (CEN), could be assured of their compatibility w
44、ith the US Federal PKI should they wish to pursue cross recognition“. This comparability was achieved taking also in account other specifications issued by ETSI ESI and by the CEN Information Society Standardisation System (CEN/ISSS) WS/E-SIGN workshop, in particular CEN CWA 14167-1 13, CEN CWA 1417
45、2-1 10 and CEN CWA 14172-2 11. It is suggested that future work is performed on an opposite mapping between the ETSI QCP on to the FPKI, which may be used as the basis of recognition of CAs operating in the US being recognized in Europe. 5.5 APEC TEL eSTG The eSecurity Task Group (eSTG) is a task gr
46、oup of the Business Facilitation Steering Group of the APEC Telecommunications and Information Working Group (APEC TEL) - APEC is the Asia-Pacific Economic Community. eSTG does not have a formal charter but has two basic functions: the security of information infrastructure and networks; interoperab
47、ility of electronic authentication schemes within the APEC region and with other non APEC entities. APEC has produced “Guidelines for Schemes to Issue Certificates Capable of Being Used in Cross Jurisdiction eCommerce“. These guidelines are based around a detailed analysis of a number of certificate
48、 policies and “accreditation“ schemes that have been developed around the ASIA-Pacific rim (including Australia, Canada, USA, Hong Kong and Singapore) as well as the ETSI Qualified Certificate Policy (QCP). Table 1: Policy and accreditation Schemes compared by APEC Australia Gatekeeper (Australian G
49、overnment) Grade 2, Type 2 Canada Government of Canada PKI Medium assurance European Union ETSI QCP - TS 101 456 1 Qualified certificate Hong Kong, China Electronic Transactions Ordinance Recognized certificate issued by a recognized CA Singapore Electronic Transactions Act Certificate issued by a licensed CA United States Federal Bridge Certification Authority Medium assurance From this analysis, APEC identified common approaches and identified a model for accredi
