1、ETSI TR 102 044 1.1.1 (2002-12) Technical Repor Electronic Signatures and Infrastructures (ESI); Requirements for role and attribute certificates 2 ETSI TR 102 044 VI .I .I (2002-12) Reference DTR/ESI-000005 Keywords electronic signature, security ETSI 650 Route des Lucioles F-O6921 Sophia Antipolis
2、 Cedex - FRANCE Tel.: +33 4 92 94 42 O0 Fax: +33 4 93 65 47 16 Siret No 348 623 562 00017 - NAF 742 C Association but non lucratif enregistre la Sous-prfecture de Grasse (06) No 7803/88 Important notice Individual copies of the present document can be downloaded from: http:lwmv.etsi .arq The present
3、 document may be made available in more than one electronic version or in print. In any case of existing or perceived difference in contents between such versions, the reference version is the Portable Document Format (PDF). In case of dispute, the reference shall be the printing on ETSI printers of
4、 the PDF version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current status of this and other ETSI documents is available at ha p:/pa rta I. etsi I a rgltb
5、istat uslstatus .as p If you find errors in the present document, send your comment to: Cori vriaht Notifica tion No part may be reproduced except as authorized by written permission. The copyright and the foregoing restriction extend to reproduction in all media. O European Telecommunications Stand
6、ards Institute 2002. All rights reserved. DECTTM, PLUGTESTSTMand UMTSTMare Trade Marks of ETSI registered for the benefit of its Members. TIPHONTM and the TIPHON logo are Trade Marks currently being registered by ETSI for the benefit of its Members. 3GPPTM is a Trade Mark of ETSI registered for the
7、benefit of its Members and of the 3GPP Organizational Partners. ETSI 3 ETSI TR 102 044 VI .I .I (2002-12) Contents Intellectual Property Rights . .5 Foreword . 5 1 2 3 3.1 3.2 4 5 5.1 5.2 6 6.1 6.2 6.3 6.3.1 6.3.2 7 7.1 7.2 7.2.1 7.2.2 7.2.3 8 8.1 8.2 8.2.1 8.2.2 9 9.1 9.2 9.3 9.4 9.5 9.6 9.7 10 10.
8、1 10.2 11 11.1 11.2 11.3 11.4 11.5 12 12.1 Scope 6 References . .6 Definitions and abbreviations .7 . 7 . 8 Implications from the requirements of the Directive .8 European surveys .9 Personnel certification . 9 Currently implemented attribute certificate usage. 9 Various kinds of attributes . 1 O .
9、10 Group memberships . 10 Roles . . 12 Other authorization information . 12 Proxies . 12 Capabilities . . Claimed and certified attributes . 13 Claimed attributes. 13 Certified Attributes. 13 The Attribute Issuing Authority 13 Directly certified attributes . 14 Verified attributes . 14 Attribute mea
10、ning and representation . .15 Attribute meaning . 15 Attribute represen . 15 Group membership 15 . 15 Other Attribute characteristics . .16 16 16 16 16 17 17 17 Role Attribute life span Attribute certific Attribute certific Attribute revocati cate revocation . Attribute privacy . Ways to acquire att
11、ribute . Delegable attributes . Using Public Key Certificates Using Attribute Certificates Attribute Certificates management .20 Attribute verification by the ACA . 20 Link with a PKC . 20 Attribute Certific cation management 23 Attribute Certificate acquisition . . 23 Attribute delegation managemen
12、t .24 Placement of attributes in certificates .18 18 19 Recommendations . .24 Requirements for Attribute Certificate Policies 24 24 25 12.1.1 Requirements for ACAs . 12.1.2 Requirements for AAS . ETSI 4 ETSI TR 102 044 VI . 1 . 1 (2002-12) 12.2 12.3 12.4 12.5 Definition of cross-European roles . 26
13、Attribute Certificate Profile for Electronic Signatures . 26 Attribute Certificate Acquisition Protocol 27 Criteria for using PKCs or ACs 27 Annex A: Attribute syntax in ASN.l 28 Annex B: Guidelines for the certification of roles in subscription certificates . 30 Annex C: Bibliography 46 History 47
14、ETSI 5 ETSI TR 102 044 VI .I .I (2002-12) Intellectual Property Rights IPRs essential or potentially essential to the present document may have been declared to ETSI. The information pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found
15、in ETSI SR 000 314: “Intellectual Property Rights (7PRs); Essential, orpotentially Essential, IPRs notlJied to ETSI in respect ofETSI standards“, which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web server (5). All published ETSI deliverables shall include infor
16、mation which directs the reader to the above source of information. Foreword This Technical Report (TR) has been produced by ETSI Technical Committee Electronic Signatures and Infrastructures (ESI). The objective of the present document is to identiSl a set of requirements that will provide a basis
17、on which a subsequent standard can build policy requirements for attributes certified by Attribute Authorities or Certification Authorities either in a subjects PKCs (Public Key Certificates) or in ACs (Attribute Certificates). By attribute it is intended a persons qualification that entitles hidher
18、 to exert specific functions, e.g. CEO from company AAA, doctor in medicine from country BBB, barrister from country CCC, sales director from company DDD, etc. or obtain some privileges, e.g. member from Golf Club EEE, etc. A survey has been made on potential usages of attributes and the outcome has
19、 been that very little attribute usage currently exists, so very little (if any) experience can be draw from the real world. Therefore the present document is based both on the few information received and the best assumptions that could be done on that topic. When no distinction is wished to be mad
20、e between an Attribute Authority and a Certification Authority, the generic term Attribute Certification Authority (ACA) is being used. The findings of the present document are intended mainly for the support of electronic signatures, but nothing prevents them from being used for other reasons, e.g.
21、 for authorization. ETSI 6 ETSI TR 102 044 VI .I .I (2002-12) 1 Scope The present document identifies a set of requirements that will provide a basis for a subsequent standard, which will then build policy requirements for attributes certified by Attribute Authorities or Certification Authorities co
22、mplying with 4 and related standards. In some electronic signature applications, roles and attributes can be exerted only if a claimers right to use them is certified by one competent authority which is trusted by the signed document users. The scope of the present document is to investigate on the
23、attribute certification related topics in order to cover the general use of certified attributes in the context of electronic signatures. Attributes that can be used in such a context can also be used for other reasons, e.g. for authorization. 2 Re fe re nces For the purposes of this Technical Repor
24、t (TR), the following references apply: il 21 31 ETSI TS 101 733: “Electronic Signatures and Infrastructures (ESI); Electronic Signature Formats“. ETSI TR 102 041: “Signature Policies Report“. Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community frame
25、work for electronic signatures. ISO/IEC 9594-8 (200 1): “Information technology; Open Systems Interconnection; The Directory: Public-key and attribute certificate frameworks“. IETF RFC 3280: “Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile“, R.Housl
26、ey, W. Ford, W. Polk, D. Solo, April 2002. IETF RFC 3039: “Internet X.509 Public Key Infrastructure Qualified Certificates Profile“, S. Santesson, W. Polk, P. Barzin, M. Nystrom, January 2001. ITU-T Recommendation X.520: “Information technology; Open Systems Interconnection; The Directory: Selected
27、attribute types“. IETF RFC 3281: “An Internet Attribute Certificate Profile for Authorization“, S. Farrell. R. Housley, April 2002. EN 450 13 : “General criteria for certification bodies operating certification of personnel“. ISO/IEC FDIS 17024 (2002): “Conformity assessment; General requirements fo
28、r bodies operating certification of persons“ draft. EAC/G4: “Guidelines on the Application of EN 45013“, issued in September 1995 by the European Accreditation of Certification, ETSI TS 101 862: “Qualified certificate profile“ ISO/IEC 9594-6: “Information technology; Open Systems Interconnection; Th
29、e Directory: Selected attribute types“. 41 51 61 71 SI 91 lo1 i 11 121 i31 ETSI 7 ETSI TR 102 044 VI .I .I (2002-12) 3 3.1 Definitions and abbreviations De fi nit ions For the purposes of the present document, the following terms and definitions apply: attribute: information bounded to an entity tha
30、t specifies a characteristic of an entity, such as a group membership or a role, or other information associated with that entity Attribute Authority (AA): authority trusted by one or more users to create and sign attribute certificates NOTE: It is important to note that the AA is responsible for th
31、e attribute certificates during their whole lifetime, not just when registering them. Attribute Certificate (AC): data structure containing a set of attributes for an end-entity and some other information, which is digitally signed with the private key of the AA which issued it Attribute Certificate
32、 Policy (ACP): named set of rules that indicates the applicability of an attribute certificate to a particular community andor class of application with common security requirements or which indicates basic rules for registering, delivering and revoking attributes contained in certificates Attribute
33、 Certification Authority (ACA): authority trusted to include attributes in either PKCs or ACs Attribute Certificate validity period: the time period during which the attributes included in an attribute certificate are deemed to be valid Attribute certification period: the time period during which AC
34、s including a given attribute will effectively be provided by the AA Attribute Certification Practice Statement (ACPS): statement of the practices that an Attribute Certification Authority employs in issuing certificates. authoritative Attribute Issuing Authority (AIA): the authoritative source of a
35、n attribute certificate: either Attribute Certificate or a Public Key Certificate NOTE: Where there is no distinction made the context should be assumed that the term could apply to both an Attribute Certificate or a Public Key Certificate. Certification Authority (CA): authority trusted by one or m
36、ore users to create and assign public key certificates group membership: state of being a member of a group, e.g. a club, a company, an organization, an organization branch or a project Privilege Management Infrastructure (PMI): the infrastructure able to support the management of privileges in supp
37、ort of a comprehensive authorization service and in relationship with a Public Key Infrastructure Public Key Certificate (PRC): data structure containing the public key of an end-entity and some other information, which is digitally signed with the private key of the CA which issued it Qualified Cer
38、tificate (QC): Public Key Certificate that conforms to annex I from the Directive 1999/93/EC and that is issued by a Certification Authority that conforms to the requirements from annex II from the same Directive NOTE: See 3. role: function, position or status that somebody has in an organization, i
39、n society or in a relationship ETSI 8 ETSI TR 102 044 VI .I .I (2002-12) 3.2 Abbreviations For the purposes of the present document, the following abbreviations apply: AA AC ACA ACP ACPS AIA ASN. 1 CA EESSI OID PKC PKI PMI QC Attribute Authority Attribute Certificate Attribute Certification Authorit
40、y Attribute Certificate Policy Attribute Certification Practice Statement Attribute Issuing Authority Abstract Syntax No. 1 Certification Authority European Electronic Signature Standardization Initiative Object IDentifier Public Key Certificate Public Key Infiastructure Privilege Management Infiast
41、ructure Qualified Certificate 4 Implications from the requirements of the Directive Directive 3 article 2(3) states that: “signatorymeans aperson who . acts either on his own behalfor on behalfof the natural or legalperson or entity he represents“, introduces the need to define under which role do s
42、ubjects sign. Directive 3, annex I specifies that: “Qualified certificates must contain (. . .) . . . (d) provision for a specific attribute of the signatory to be included ifrelevant, depending on the purpose for which the certijicate is intendedl The previously quoted annex I (d) of the Directive
43、3 clearly lays down the possibility to include “attributes“ in a QC (Qualified Certificate). This provides sufficient legal support to adopt QCs to spec Attributes, where deemed useful and applicable. This can be achieved by inserting them in the “title“ field within the subjectDirectoryAttribute ex
44、tension defiied in ISO/IEC 9594-8 4, as per IETF RFC 3039 6. It is to be noted that, although article 6(3), (4) and annex I (i), 0) of the Directive 3 also explicitly provide for the possibility to speciSl “limitation to the value of a transaction“ and “limitations of use“ in a QC, such data, that m
45、ight be thought of as signers “attributes“, have their natural location respectively in the field “QcEuLimitValue“, defiied in TS 101 862 12, and in the extensions keyusage, extendedKeyUsage, defiied in ISO/IEC 9594-8 4. On the other hand, as per the QC requirements stated in Directive 3 annex I, a
46、QC must hold the signature verification data (letter e), so an Attribute Certificate cannot be a QC, since it bears no public key. The following Directive 3 provisions are worth noting. 1) As per article 6( i), liabilities apply on issuing QC CSP, namely “as regards the accuracy at the time of issua
47、nce of all information contained in the qualified certificate . . .“, which includes “provision for a specific attribute of the signatory to be included if relevant, depending on the purpose for which the certificate is intended“, as per annex I, letter (d) Annex II, letter (l), 3d bullet requires t
48、hat a QC may be publicly available only upon subjects consent. This requirement must be taken in account also when issuing attributes-speciSling QCs. 2) Directive annex II (d) also puts a clear onus on the QC issuing certification service providers that speciSl subjects Attributes: “veriSl, by appro
49、priate means in accordance with national law, the identity and, if applicable, any specific attributes of the person to which a qualified certificate is issued“. From the previous Directive excerpts it is clear that specific requirements are to be met by any authority that certifies any kind of attribute. If this authority is the same CA that issues PKCs certiSling attributes, e.g. through the subjectDirectoryAttribute extension, then the Certificate Policy shall be enriched with additional requirements related to attribute Certif
