1、ETSI TR 102 203 1.1.1 (2003-05) Technical Repor Mobile Commerce (M-COMM); Mobile Signatures; Business and Functional Requirements 2 ETSI TR 102 203 VI .I .I (2003-05) Reference DTR/M-COMM-O03 Keywords commerce, e-commerce, electronic signature, functional, mobile ETSI 650 Route des Lucioles F-O6921
2、Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 O0 Fax: +33 4 93 65 47 16 Siret No 348 623 562 00017 - NAF 742 C Association but non lucratif enregistre la Sous-prfecture de Grasse (06) No 7803/88 Important notice Individual copies of the present document can be downloaded from: http:lwmv.etsi
3、.arq The present document may be made available in more than one electronic version or in print. In any case of existing or perceived difference in contents between such versions, the reference version is the Portable Document Format (PDF). In case of dispute, the reference shall be the printing on
4、ETSI printers of the PDF version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current status of this and other ETSI documents is available at ha p:/pa rta I
5、. etsi I a rgltbistat uslstatus .as p If you find errors in the present document, send your comment to: Cori vriaht Notifica tion No part may be reproduced except as authorized by written permission. The copyright and the foregoing restriction extend to reproduction in all media. O European Telecomm
6、unications Standards Institute 2003. All rights reserved. DECTTM, PLUGTESTSTMand UMTSTMare Trade Marks of ETSI registered for the benefit of its Members. TIPHONTM and the TIPHON logo are Trade Marks currently being registered by ETSI for the benefit of its Members. 3GPPTM is a Trade Mark of ETSI reg
7、istered for the benefit of its Members and of the 3GPP Organizational Partners. ETSI 3 ETSI TR 102 203 VI .I .I (2003-05) Contents Intellectual Property Rights . .5 Foreword . 5 Introduction . .5 1 2 3 3.1 3.2 4 5 6 6.1 6.2 6.3 7 7.1 7.2 7.3 7.4 7.5 8 8.1 8.2 8.3 8.4 8.5 8.6 8.7 8.8 8.9 9 9.1 9.2 9.
8、3 Scope 7 References . .7 Definitions and abbreviations. . .8 Definitions . . 8 Abbreviations . 9 Void 10 Background 1 O Mobile Signature 11 . 11 . 12 . 13 Mobile Signature Design Criteria . 13 Server-Side Designs . 14 . 14 . 15 . 15 Electronic Signatures Go Mobile Proposed Definition for “Mobile Si
9、gnature“ . Using Mobile Signature . Smart-Card Based Designs. . Choice of Cryptographic Techniques Public Key Infiastructure (PKI) Technology Technology Choice . 15 Use Cases for Mobile Signature. . .16 Potential Use Cases . . 16 Sample Mobile Signature En . 17 Customer Initiated Top-Up of Prepaid A
10、ccounts . 18 Corporate Local Area Network (LAN) Access . 19 Content Download . . .20 Automated Prepaid Service “Top-Up“ . .22 Machine Maintenance Request (Alarm Conditions) . . .23 Disable Alarm Protection System . . .24 S tocWS hare Trading . 25 Awareness . . 27 Mobile Signature Process .26 Mobile
11、Signature Acquisition. . Use of Mobile Signature Capability . 27 . 27 9.3.1 By an Application Provider .27 9.3.2 By a Citizen (Cardholder) . 27 9.4 Mobile Signature Lifecycle Managemen . 28 9.5 Customer Service . 28 1 O Mobile Signature Service .28 10.1 Mobile Signature Service - Web Service . 29 10
12、.2 Facilitating Awareness . 29 10.3 Facilitating Mobile Signature Acquisition . 29 10.3.1 Mobile Signature Equipment Deployment . 29 User Registration . . 30 10.3.3 Activation of “Signing“ Functionality . . 30 10.3.4 Registration for a “Dependent“ Application . 30 10.4 Use of Mobile Signature Capabi
13、lity . 30 10.4.1 By the Application Provider (AP) . 31 10.4.2 By the Citizen End-User .32 10.3.2 10.5 Facilitating a Range of Value Added Services . 33 ETSI 4 ETSI TR 102 203 VI . 1 . 1 (2003-05) 10.6 10.7 10.8 1 1 1 1.1 1 1.2 12 Mobile Signature Lifecycle Management 34 Facilitating Customer Service
14、 34 Key Factors for Mobile Signature Service Success 34 Mobile Signature Implementation Challenges . 35 Mobile Signature Registration 35 Mobile Signature Usage . 36 Potential Roles and Responsibilities 38 . 12.1 12.2 12.2.1 12.2.2 12.2.3 12.2.4 12.2.5 12.2.6 12.2.7 12.2.8 12.3 12.3.1 12.3.2 12.3.3 1
15、2.3.4 12.3.5 38 41 41 Smartcard Issuer 41 Registration Authority (RA 41 Certification Authority (C 41 Mobile Signature Service 42 Application Provider 42 42 42 Security Provisions 42 Security Levels . 42 General Principles for End-User Security Experience 43 MSSPs 43 Application Providers . 44 Smart
16、-Card Issuers 44 13 Interactions and Interfaces 45 Overall Architecture . 45 13.1 13.2 Interfaces between Entities . 46 13.2.1 Registration and Certification . 46 13.2.2 Home Network Transactions 47 13.2.3 Transaction Roaming 48 13.2.4 Other Possibilitie 49 13.2.5 Interfaces betwee 49 13.2.6 Applica
17、ble/Availa 50 14 Requirements 51 14.1 Business Requirements . 51 14.2 Functional Requirements 57 15 Conclusions 61 Annex A: Generic Use Case “Template“ . 62 Annex B: User Experience of Use Case 64 Annex C: Bibliography 66 History 68 ETSI 5 ETSI TR 102 203 VI .I .I (2003-05) Intellectual Property Rig
18、hts IPRs essential or potentially essential to the present document may have been declared to ETSI. The information pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found in ETSI SR O00 3 14: “Intellectual Property Rights (7PRs); Essentia
19、l, orpotentially Essential, IPRs notlJied to ETSI in respect ofETSI standards“, which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web server (5). Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee
20、 can be given as to the existence of other IPRs not referenced in ETSI SR O00 3 14 (or the updates on the ETSI Web server) which are, or may be, or may become, essential to the present document.Notice received from: Swisscom Foreword The present document (TR) has been produced by ETSI Project M-Comm
21、erce (M-COMM). I n t rod uct ion Structure of the present document Scope A description of the goals and objectives of the present document. Document Administration An explanation of the structure, definitions, symbols and abbreviations used in the present document. Introduction Positions the Mobile
22、Signature project and EC funding etc leading to overview of why mobile signature has a way to accelerate deployment of electronic signatures as originally envisaged by the EU Directive. Mobile Signature Electronic signatures go mobile . definition of mobile signature. Mobile Signature Design Criteri
23、a Positions the criteria and technology choice for implementing mobile signature solutions. Use Cases Provides an overview of typical applications and services that might benefit from adoption of mobile signature to confirm the intentions of a citizen in relation to the transactional element of thos
24、e applications and services. Also, describes the process sequence for some of these . Mobile Signature Process Outlines the end-to-end sequence involved in the mobile signature concept. The clause identifies the ACTIONS required for mobile signature to operate correctly and the ORDER in which they o
25、ccur logically. An understanding of the action order helps to defie what technology elements are required for the mobile signature architecture. Mobile Signature Service A short description of a service in which the mobile signature process is coordinatedmanaged. ETSI 6 ETSI TR 102 203 VI .I .I (200
26、3-05) Mobile Signature Implementation Challenges Describes the challenges associated with implementing mobile signature service (registration and usage) in the current mobile environment. This clause identifies the starting point for: Task 2 = Interfaces Specification Task 3 = Security Provisions Sp
27、ecification Task 4 = Interoperability Specification Roles and Responsibilities A description of the roles identified in the mobile signature process and responsibilities of the entities that might be involved. Determination of which entity is best placed to undertake a particular role will be depend
28、ent upon the commercial model adopted. Business and Functional Requirements The Business requirements guide the preparation of functional requirements. Conclusion The present document provides guidance for drafting of ETSI Technical Specifications concerning Interfaces, Security Provisions and Inter
29、operability required for implementation of industry-wide mobile signature services. ETSI 7 ETSI TR 102 203 VI .I .I (2003-05) 1 Scope The present document (“TR“) considers the business and functional requirements for a MOBILE SIGNATURE SERVICE. The present document is intended to guide the drafting
30、of the following ETSI Technical Specifications (TS) concerning interfaces, security provisions and interoperability of mobile signatures service solutions. Technical Specification: TS 102 204 - Mobile Signature Web Service Interfaces Technical Specification: TS 102 206 - Security Requirements for Mo
31、bile Signature Systems Technical Specification: TS 102 207 - Roaming of Mobile Signature Service Transactions Together, the present document and the TSs will allow the design and implementation of interoperable mobile signature service solutions. As such, the present document defines business and fu
32、nctional requirements for mobile signature service solutions that leverage smartcards (including the GSM SIM-CARD) and cryptographic techniques (including asymmetric cryptography used in public key infrastructure - PKI) to facilitate the deployment of electronic signature solutions. The mobile signa
33、ture service is considered suitable for the administration and management of all aspects relating to: Acquiring mobile signature capability. Advising and guiding citizens about the use of mobile signature. Managing citizen identity (including Data protection and individual privacy). Processing of si
34、gnature requests from application providers (and providing responses). Maintaining signature transaction records for the citizen. Managing all aspects of signature lifecycle (e.g. validity, expiry, revocation). Supporting service administration and maintenance activities. In defining the Webservice,
35、 the present document makes reference to interactions between different parties and to the end user experience of a mobile signature service at the mobile device. This is done to illustrate concepts and facilitate definition of business and functional requirements for the Webservice - only. Readers
36、are referred to other sources of information as indicated in the “References“ clause regarding definitions and specifications for these topics. 2 Re fe re nces For the purposes of this Technical Report (TR) the following references apply: il Directive 1999/93/EC of the European Parliament and of the
37、 Council of 13 December 1999 on a Community framework for electronic signatures. ETSI 8 ETSI TR 102 203 VI .I .I (2003-05) 3 3.1 Definitions and abbreviations Definitions For the purposes of the present document, the following terms and definitions apply: application provider: person or organization
38、 who develops andor sells andor supports a service used by a citizen asymmetric cryptography: to encrypt messages in a manner that does not require from the encrypting entity to know the key used to decrypt the cipher-text NOTE: Asymmetric cryptography also allows to sign messages in a manner that d
39、oes not require from entity that verifies the signature to know the key used to produce the signature. atomicity: property of a transaction, after an accidental or a malevolent interruption or shut-down the system either returns to state in which it was before the interruption or is able to carry on
40、 the interrupted task so as to complete it buffer over-run: attack consisting in corrupting a program by overflowing its internal variables NOTE: Can be avoided if the program checks that only data of appropriate length is stored in variables. business case: describes the financial justification (bu
41、siness plan) for each commercial model carrier groups: holding companies comprising multiple mobile network operator companies Certification Authority (CA): authority that produces signatures on public-keys (certificates) NOTE: The process of signing ones public-key is called “certification“. commer
42、cial model: describes roles and responsibilities of the organizations involved in providing a mobile signature service dependent application (or service): See definition in clause 10.3.4. dispute resolution: process of resolving disputed transactions dual chip: mobile device containing the home netw
43、orks SIM card plus a second smartcard possibly from another smartcard issuer dual slot: mobile device capable of inserting a credit-card size smartcard electronic signature: data in electronic form which are attached to or logically associated with other electronic data message and which serve as a
44、method of authentication NOTE: Electronic signatures come are of three sorts: General, Qualified and Advanced as defined in clause 6.1 enduser or citizen: person (or device) in possession of (or embedded in) the mobile device (andor SIM-card) to which a mobile signature is associated NOTE: End user
45、and Citizen is used interchangeably throughout the present document. EU Directive: text of the Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures mobile signature: universal method for using a mobile device to con
46、firm the intention of a citizen to proceed with a transaction mobile signature process: logical sequence of acquiring and making use of a mobile signature mobile signature service: facility that coordinates and manages the mobile signature process represents an opportunity for the card-issuer to pro
47、vide a mobile signature service to citizens and application providers Mobile Signature Service Provider (MSSP): person or entity that provides a mobile signature service ETSI 9 ETSI TR 102 203 VI .I .I (2003-05) Mobile Signature Service Provider (Home MSSP): MSSP associated to the mobile network in
48、the citizens normal country of residence Mobile Signature Service Provider (Roaming MSSP): intermediary body that may provide interoperability between Home MSSPs NTT DoCoMo: (specific) Japanese Telecommunication Operator Prepaid Top-UP: act of adding service credits to a pre-paid account proof of po
49、ssession: proof that the citizen possesses or owns a given mobile device registration authority: authority in charge of capturing personal attributes from a citizen used to form the security profile server signature: setting with which a server issues a mobile signature on the users behalf signature gateway: platform operated by the MSSP to enable mobile signature functionality signing-PIN: numeric code known only to the citizen entered by that citizen on hidher mobile device keypad in order to confirm hidher intention with respect to transaction details displayed on the screen
