1、 ETSI TR 102 438 V1.1.1 (2006-03)Technical Report Electronic Signatures and Infrastructures (ESI);Application of Electronic Signature Standards in EuropeETSI ETSI TR 102 438 V1.1.1 (2006-03) 2 Reference DTR/ESI-000044 Keywords IP, electronic signature, security ETSI 650 Route des Lucioles F-06921 So
2、phia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but non lucratif enregistre la Sous-Prfecture de Grasse (06) N 7803/88 Important notice Individual copies of the present document can be downloaded from: http:/www.etsi.org
3、The present document may be made available in more than one electronic version or in print. In any case of existing or perceived difference in contents between such versions, the reference version is the Portable Document Format (PDF). In case of dispute, the reference shall be the printing on ETSI
4、printers of the PDF version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current status of this and other ETSI documents is available at http:/portal.etsi.o
5、rg/tb/status/status.asp If you find errors in the present document, please send your comment to one of the following services: http:/portal.etsi.org/chaircor/ETSI_support.asp Copyright Notification No part may be reproduced except as authorized by written permission. The copyright and the foregoing
6、restriction extend to reproduction in all media. European Telecommunications Standards Institute 2006. All rights reserved. DECTTM, PLUGTESTSTM and UMTSTM are Trade Marks of ETSI registered for the benefit of its Members. TIPHONTMand the TIPHON logo are Trade Marks currently being registered by ETSI
7、 for the benefit of its Members. 3GPPTM is a Trade Mark of ETSI registered for the benefit of its Members and of the 3GPP Organizational Partners. ETSI ETSI TR 102 438 V1.1.1 (2006-03) 3 Contents Intellectual Property Rights5 Foreword.5 1 Scope 6 2 References 6 3 Definitions and abbreviations.8 3.1
8、Definitions8 3.2 Abbreviations .10 4 Monitored Bodies and Workshops.10 5 e-Invoicing .11 5.1 CEN/ISSS e-Invoicing Focus Group11 5.2 CEN/ISSS Workshop on “Interoperability of Electronic Invoices in the European Union“ 11 5.2.1 Workshop purpose 11 5.2.2 Workshop organization.11 5.2.3 Applicability of
9、existing ESI standards and potential additional requirements on ESI standards 12 5.2.4 Report on electronic signature related matters13 5.2.4.1 Introduction.13 5.2.4.2 ETSI relevant CEN WS matters13 5.2.4.3 EDI vs. electronic signatures.13 5.2.4.4 eInvoices storage vs. electronic signatures14 5.2.5
10、Any recommendations 14 6 e-Procurement 14 6.1 Context .14 6.2 Outcome of the workshop 15 6.3 Main content of CWA 15236 .15 6.3.1 The main phases of e-Procurement.15 6.3.1.1 e-Tendering .15 6.3.1.2 e-Ordering .15 6.3.1.3 e-Despatching15 6.3.1.4 e-Invoicing 15 6.3.2 The relationship with the EESSI wor
11、k16 6.3.3 The recommendations.17 6.4 Opinion on the outcome of the workshop 18 7 e-Registered mail18 7.1 UPU EPM.18 7.1.1 UPU Electronic PostMark Overview18 7.1.2 Recommendations.19 7.2 Posta Elettronica Certificata - PEC in Italy19 8 e-Authentication.20 8.1 Overview of the CEN WS activity and their
12、 technical approach .20 8.2 Applicability of existing ESI standards and potential additional requirements on ESI standards23 8.3 Any recommendations23 9 CEN/TC 224 Machine Readable Cards24 9.1 Context .24 9.2 Outcome of the TC 224 meeting in Munich on 14 and 15 April 2005.24 9.3 TC 224 WG 16 .25 9.4
13、 TC 224 WG17 28 Annex A: CEN/ISSS e-Invoicing Focus Group .30 Annex B: CEN/ISSS Workshop on Electronic Authentication36 ETSI ETSI TR 102 438 V1.1.1 (2006-03) 4 B.1 Part 1: Architecture for a European interoperable eID system within a smart card infrastructure.36 B.2 Part 2: Best Practice Manual for
14、card scheme operators exploiting a multi-application card scheme incorporating interoperable IAS services 49 B.3 Part 3: User Requirements for a European interoperable eID system within a smart card infrastructure 54 B.4 Towards an electronic ID for the European Citizen, a strategic vision58 History
15、 65 ETSI ETSI TR 102 438 V1.1.1 (2006-03) 5 Intellectual Property Rights IPRs essential or potentially essential to the present document may have been declared to ETSI. The information pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be foun
16、d in ETSI SR 000 314: “Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in respect of ETSI standards“, which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web server (http:/webapp.etsi.org/IPR/home.asp). Pursuant to th
17、e ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web server) which are, or may be, or may become, essential to the present document. For
18、eword This Technical Report (TR) has been produced by ETSI Technical Committee Electronic Signatures and Infrastructures (ESI). ETSI ETSI TR 102 438 V1.1.1 (2006-03) 6 1 Scope A number of initiatives were started in Europe, funded by the European Commission, in order to provide support to the Direct
19、ives that apply electronic signatures and have their roots in Directive 1999/93/EC 1, among which Directive 2001/115/EC 2 addressing invoicing in respect of value added tax. These initiatives regard, or regarded, the following subjects: e-invoicing, e-procurement, e-authentication. They also address
20、 electronic storage and have furtherance on development of CWA 14890 Smart Card. Electronic registered email is also being developed inside and outside Europe. All these subjects are impacted by, and may benefit from, the documents on electronic signature that were developed by ETSI TC ESI, along wi
21、th the CEN Workshop El-sign. ETSI has launched an STF to harmonize the above mentioned initiatives to the existing ETSI Technical Specification (TS), in order to optimize interoperability. The present document presents the results of this work to assist in the harmonization of the use of election si
22、gnature standards across Europe. Where other bodies activities were already closed when STF 288 was launched, or closed during the STF 288 performing time, reports are attached as annexes summarizing, through abstracts and extracts, the documents issued by the such bodies. 2 References For the purpo
23、ses of this Technical Report (TR), the following references apply: 1 Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures. NOTE: The above is referred to as “the Directive“ in the present document. 2 Directive 2001/
24、115/EC Council Directive of 20 December 2001 amending Directive 77/388/EEC with a view to simplifying, modernising and harmonising the conditions laid down for invoicing in respect of value added tax. 3 ETSI TS 101 456: “Electronic Signatures and Infrastructures (ESI); Policy requirements for certif
25、ication authorities issuing qualified certificates“. 4 ETSI TS 102 042: “Electronic Signatures and Infrastructures (ESI); Policy requirements for certification authorities issuing public key certificates“. 5 ETSI TS 101 862: “Qualified certificate profile“. 6 ETSI TS 101 733: “Electronic Signatures
26、and Infrastructures (ESI); CMS Advanced Electronic Signatures (CAdES)“. 7 ETSI TS 101 903: “XML Advanced Electronic Signatures (XAdES)“. 8 ETSI TS 102 280: “X.509 V.3 Certificate Profile for Certificates Issued to Natural Persons“. 9 CWA 15264-01: “Architecture for a European interoperable eID syste
27、m within a smart card infrastructure“. 10 CWA 15264-02: “Best Practice Manual for card scheme operators exploiting a multi-application card scheme incorporating interoperable IAS services“. 11 CWA 15264-03: “User Requirements for a European interoperable eID system within a smart card infrastructure
28、“. 12 ISO/IEC 10536-1 (2000): “Identification cards - Contactless integrated circuit(s) cards - Close-coupled cards - Part 1: Physical characteristic“. 13 ISO/IEC 10536-2 (1995): “Identification cards - Contactless integrated circuit(s) cards - Part 2: Dimensions and location of coupling areas“. ETS
29、I ETSI TR 102 438 V1.1.1 (2006-03) 7 14 ISO/IEC 10536-3 (1996): “Identification cards - Contactless integrated circuit(s) cards - Part 3: Electronic signals and reset procedures“. 15 ISO/IEC 14443-1 (2000): “Identification cards - Contactless integrated circuit(s) cards - Proximity cards - Part 1: P
30、hysical characteristics“. 16 ISO/IEC 14443-2 (2001): “Identification cards - Contactless integrated circuit(s) cards - Proximity cards - Part 2: Radio frequency power and signal interface“. 17 ISO/IEC 14443-3 (2001): “Identification cards - Contactless integrated circuit(s) cards - Proximity cards -
31、 Part 3: Initialization and anticollision“. 18 ISO/IEC 14443-4 (2001): “Identification cards - Contactless integrated circuit(s) cards - Proximity cards - Part 4: Transmission protocol“. 19 ISO/IEC 15693-1 (2000): “Identification cards - Contactless integrated circuit(s) cards - Vicinity cards - Par
32、t 1: Physical characteristics“. 20 ISO/IEC 15693-2 (2000): “Identification cards - Contactless integrated circuit(s) cards - Vicinity cards - Part 2: Air interface and initialization“. 21 ISO/IEC 15693-3 (2001): “Identification cards - Contactless integrated circuit(s) cards - Vicinity cards - Part
33、3: Anticollision and transmission protocol“. 22 Sixth council directive of 17 May 1977 on the harmonization of the laws of the Member States relating to turnover taxes - Common system of value added tax: uniform basis of assessment (77/388/EEC). 23 Commission Recommendation 1994/820/EC of 19 October
34、 1994 relating to the legal aspects of electronic data interchange. 24 Commission decision of 14 July 2003 on the publication of reference numbers of generally recognized standards for electronic signature products in accordance with Directive 1999/93/EC of the European Parliament and of the Council
35、. 25 CWA 14890-1: “Application Interface for smart cards used as Secure Signature Creation Devices - Part 1: Basic requirements“. 26 CWA 14890-2: “Application Interface for smart cards used as Secure Signature Creation Devices - Part 2: Additional Services“. 27 IETF RFC 3647: “Internet X.509 Public
36、Key Infrastructure Certificate Policy and Certification Practices Framework“. 28 CEN EN 1332-4: “Identification Card Systems - Man-Machine Interface - Part 4 : Coding of user requirements for people with special needs“. 29 CWA 13987-1: “Smart Card Systems: Interoperable Citizen Services: Extended Us
37、er Related Information - Part 1: Definition of User Related Information and Implementation“. 30 CWA 14167-1: “Security Requirements for Trustworthy Systems Managing Certificates for Electronic Signatures - Part 1: System Security Requirements“. 31 CWA 14167-2: “Security Requirements for Trustworthy
38、Systems Managing Certificates for Electronic Signatures - Part 2: Cryptographic Module for CSP signing operations with backup - Protection profile (CMCSOB-PP)“. 32 CWA 14167-3: “Security Requirements for Trustworthy Systems Managing Certificates for Electronic Signatures - Part 3: Cryptographic modu
39、le for CSP key generation services - Protection profile (CMCKG-PP)“. 33 CWA 14167-4: “Security Requirements for Trustworthy Systems Managing Certificates for Electronic Signatures - Part 4: Cryptographic module for CSP signing operations - Protection profile - CMCSO PP“. 34 CWA 14169: “Secure Signat
40、ure-creation devices “EAL 4+“. ETSI ETSI TR 102 438 V1.1.1 (2006-03) 8 35 CWA 14170: “Security requirements for signature creation applications“. 36 CWA 14355: “Guidelines for the implementation of Secure Signature-Creation Devices“. 37 CWA 14890-1: “Application Interface for smart cards used as Sec
41、ure Signature Creation Devices - Part 1: Basic requirements“. 38 CWA 14890-2: “Application Interface for smart cards used as Secure Signature Creation Devices - Part 2: Additional Services“. 39 ISO/IEC 14443: “Identification cards - Contactless integrated circuit(s) cards - Proximity cards“. 40 ISO/
42、IEC 15693: “Identification cards - Contactless integrated circuit(s) cards - Vicinity cards“. 3 Definitions and abbreviations 3.1 Definitions For the purposes of the present document, the following terms and definitions apply: advanced electronic signature: electronic signature which meets the follo
43、wing requirements: a) it is uniquely linked to the signatory; b) it is capable of identifying the signatory; c) it is created using means that the signatory can maintain under his sole control; and d) it is linked to the data to which it relates in such a manner that any subsequent change of the dat
44、a is detectable (see Directive 1999/93/EC). certificate: public key of a user, together with some other information, rendered un-forgeable by encipherment with the private key of the certification authority which issued it NOTE: See ITU-T Recommendation X.509. certification authority: authority trus
45、ted by one or more users to create and assign certificates NOTE 1: See ITU-T Recommendation X.509. NOTE 2: A certification authority is a certification-service-provider issuing certificates. certificate policy: named set of rules that indicates the applicability of a certificate to a particular comm
46、unity and/or class of application with common security requirements NOTE: See ITU-T Recommendation X.509. certification practice statement: statement of the practices which a certification authority employs in issuing certificates NOTE: See RFC 3647 27. Certification-Service-Provider (CSP): entity o
47、r a legal or natural person who issues certificates or provides other services related to electronic signatures NOTE 1: See Directive 1999/93/EC 1. NOTE 2: The present document is concerned with certification service providers issuing qualified certificates (or component services for issuing qualifi
48、ed certificates. The present document is not concerned with other types of CSP functions such as time-stamping and key escrow. EDIFACT - Electronic data interchange for administration, commerce and transport: ISO standard providing a set of ten Application level syntax rules addressing EDI communica
49、tions ETSI ETSI TR 102 438 V1.1.1 (2006-03) 9 Electronic Business using eXtensible Markup Language - ebXML: a modular suite of specifications that enables enterprises of any size and in any geographical location to conduct business over the Internet NOTE: From the ebXML site http:/www.ebxml.org/geninfo.htm. Electronic Data Interchange: transfer of commercial, administrative and business information between computer systems, using data formats which have been mutually agreed by the parties (