1、 ETSI TR 102 605 V1.1.1 (2007-09)Technical Report Electronic Signatures and Infrastructures (ESI);Registered E-MailETSI ETSI TR 102 605 V1.1.1 (2007-09) 2 Reference DTR/ESI-000051 Keywords e-commerce, electronic signature, security, e-mail, trust services ETSI 650 Route des Lucioles F-06921 Sophia A
2、ntipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but non lucratif enregistre la Sous-Prfecture de Grasse (06) N 7803/88 Important notice Individual copies of the present document can be downloaded from: http:/www.etsi.org The pr
3、esent document may be made available in more than one electronic version or in print. In any case of existing or perceived difference in contents between such versions, the reference version is the Portable Document Format (PDF). In case of dispute, the reference shall be the printing on ETSI printe
4、rs of the PDF version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current status of this and other ETSI documents is available at http:/portal.etsi.org/tb/
5、status/status.asp If you find errors in the present document, please send your comment to one of the following services: http:/portal.etsi.org/chaircor/ETSI_support.asp Copyright Notification No part may be reproduced except as authorized by written permission. The copyright and the foregoing restri
6、ction extend to reproduction in all media. European Telecommunications Standards Institute 2007. All rights reserved. DECTTM, PLUGTESTSTM and UMTSTM are Trade Marks of ETSI registered for the benefit of its Members. TIPHONTMand the TIPHON logo are Trade Marks currently being registered by ETSI for t
7、he benefit of its Members. 3GPPTM is a Trade Mark of ETSI registered for the benefit of its Members and of the 3GPP Organizational Partners. ETSI ETSI TR 102 605 V1.1.1 (2007-09) 3 Contents Intellectual Property Rights7 Foreword.7 Introduction 7 Executive Summary7 1 Scope 9 2 References 10 2.1 Infor
8、mative references10 3 Definitions and abbreviations.11 3.1 Definitions11 3.2 Abbreviations .11 4 Questionnaire .12 5 Market 13 5.1 Specific Conclusions on Market.17 6 Regulations and legal validity 17 6.1 Survey overview.18 6.2 National situation .20 6.2.1 Specific legislation on REM evidential serv
9、ices.20 6.2.1.1 Posta Elettronica Certificata (PEC) (Italy)20 6.2.1.2 Belgium.21 6.2.1.3 France21 6.2.2 REM services provided by public administrations with public notarization functions.22 6.2.2.1 Secure Telematic Notifications Service (Spain)22 6.2.2.2 ChamberSign Sverige AB (Sweden).22 6.2.2.3 Hy
10、brid REM systems (send electronically - receive on paper) .22 6.2.3 General electronic signature and contractual legislation.22 6.3 Specific conclusions on regulation and legal validity 23 7 Services 24 7.1 Evidence.24 7.2 Other security related services25 7.3 Other Services 26 7.4 External 27 7.5 S
11、pecific conclusions services .28 8 REM system overviews29 8.1 Introduction 29 8.2 Initial architecture.30 8.3 Generic Model and Specific Adaptations.30 8.3.1 REM relevant entities .31 8.3.2 AFNOR REM service.34 8.3.3 Italian REM service (a.k.a. “CNIPA“ model) .34 8.3.4 UPU ECPM model .35 8.3.5 Criti
12、cal Path model .36 9 Services within REM37 9.1 Availability of evidence .38 9.1.1 Flow of evidence between parties.38 9.1.2 Carrying evidence.39 9.1.3 On-line querying services without signed evidences 39 9.1.4 Specific conclusions on the availability of evidence 40 9.2 Message identification40 9.2.
13、1 Allocation of message identifier .40 9.2.2 Message Identification in Notifications 41 ETSI ETSI TR 102 605 V1.1.1 (2007-09) 4 9.2.3 Specific conclusions on message identification41 9.3 E-mail clients42 9.3.1 Specific conclusions on e-mail clients42 9.4 Interface to external services 43 9.4.1 Speci
14、fic conclusions on external interfaces 43 9.5 Use of independent service providers.43 9.5.1 Specific conclusions on use of independent services43 10 Security features.44 10.1 Authentication of parties 44 10.1.1 Specific conclusions on authentication of parties .44 10.2 Authentication of evidence.45
15、10.2.1 Specific conclusions on authentication of evidence46 10.3 Signature formats .46 10.3.1 Specific conclusions on signature formats46 10.4 Time-stamping and time-marking 46 10.4.1 Specific conclusions on time-stamping and time-marking .47 10.5 Security protocols.47 10.5.1 Specific conclusions on
16、 security protocols .47 10.6 Supporting services 48 10.6.1 Specific conclusions on supporting services.48 11 Policies and practices .49 11.1 Registration 49 11.1.1 Specific conclusions on registration .49 11.2 Security management .50 11.2.1 Specific conclusions on security management50 11.3 Security
17、 of signing device 50 11.3.1 Conclusions on clause 11.3.50 11.3.1.1 Security of signing device.50 12 Related standards activities 51 12.1 AFNOR Z 74-600.51 12.2 UPU Essential, or potentially Essential, IPRs notified to ETSI in respect of ETSI standards“, which is available from the ETSI Secretariat.
18、 Latest updates are available on the ETSI Web server (http:/webapp.etsi.org/IPR/home.asp). Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the up
19、dates on the ETSI Web server) which are, or may be, or may become, essential to the present document. Foreword This Technical Report (TR) has been produced by ETSI Technical Committee Electronic Signatures and Infrastructures (ESI). Introduction The present document is the result of a study into exi
20、sting and prospective Registered E-Mail systems in Europe with the aim of identifying requirements leading to standardization in this area. Business and administrative relationships among companies, public administrations and private citizens, are now more and more implemented electronically. Trust
21、is becoming essential for their success and continued development of electronic services. It is therefore important that any entity using electronic services have suitable security controls and mechanisms in place to protect their transactions and to ensure trust and confidence with their partners.
22、In this respect the electronic signature is an important security component that can be used to protect information and provide trust in electronic business. Electronic mail is another major tool for electronic business and administration. It has been recognized that additional security services are
23、 necessary for e-mail to be trusted. In some European Union Member States (Italy, Belgium, etc.) regulation(s) and application(s) are already in place on mails transmitted by electronic means providing origin authentication and proof of delivery. Such security services may be used to provide trusted
24、 evidence of submission and delivery of electronic mail equivalent to the existing physical registered postal service. Several approaches are possible in order to realize the goal of trusted Registered E-Mail services. This may be enhanced, for example, by other facilities such as sender origin auth
25、entication. Also, existing services such as the Electronic Postal Certification Mark (formerly referred to as Digital Post Mark CEN and Electronic Post Mark by Universal Postal Union) provides further electronic evidence about the handling of messages. In order to move towards the general recognitio
26、n and readability of evidence provided by registered e-mail services, it is necessary to specify technical formats, as well as procedures and practices for handling registered e-mail, and the ways the electronic signatures are applied to it. Executive Summary A range of differing services for what i
27、s being referred to as Registered E-Mail (REM) are being established in Europe. Registered e-mail is an enhanced form of e-mail which provides evidence relating to the handling of an e-mail including proof of submission and delivery. The present document summarizes the results of a survey among orga
28、nizations with interests in REM services for Europe with the aim of identifying requirements for standardization in this area. The survey described in the present document identified significant deployment of REM with services existing or planned in at least 10 European nations with an existing user
29、 community of over 500 000 and potential community of 100 million. The body of the present document also provides information on the basis for these services including the most prevalent forms of evidential services supported in Registered E-Mail services and products, the legal basis for REM. In ad
30、dition the report identifies how these services are provided and the technical basis for the security features. ETSI ETSI TR 102 605 V1.1.1 (2007-09) 8 The report also surveys the procedural and policy basis for the provision of REM services. Finally, existing standardization activities of relevance
31、 to REM including the Universal Postal Unions Electronic Postal Certification Mark (formerly called Digital or Electronic Post Mark) Standard which, whilst it does not define standards for full REM services, has relevance for certain aspects of REM. The report identifies that there were a range of s
32、olution architectures on which existing REM services are based. The basis of a generic architecture is proposed to which solution architectures may be related and which may be used as the basis for future standardization. The report proposes that further standardization is required for the provision
33、 of signed evidence for Registered E-Mail, in particular: Architecture for the provision of signed evidence in support of Registered E-Mail. Data requirements and formats for signed evidence in support of Registered E-Mail. Policy requirements for trust service providers supporting Registered E-Mail
34、. ETSI ETSI TR 102 605 V1.1.1 (2007-09) 9 1 Scope The present document summarizes the results of a survey among organizations with interests in Registered E-Mail services for Europe including state authorities, standardization bodies, e-mail product and service providers, local experts. The survey i
35、ncluded information on Registered E-Mail services outside Europe to place the work within a global context. The survey investigated current and prospective Registered E-Mail implementations with the aim of identifying requirements for standardization in this area. Registered e-mail is an enhanced fo
36、rm of e-mail which provides evidence relating to the handling of an e-mail including proof of submission and delivery. Based on this survey and on the results of further work within ETSI, a number of Technical Specifications (TSs) are to be produced for Registered E-Mail. The present document gives
37、specific recommendations as to the scope of these specifications based on the results of this survey. The results given below include tables giving general data relating to particular questions in the survey. These are given for the overall totals for particular questions as well as, in some tables,
38、 sums for the following sub-categories: Existing Products for registered e-mail. Existing Services for registered e-mail. Regulatory requirements for registered email including implemented standards. Other categories of respondent including potential future product products and services, potential u
39、sers of registered of e-mail, standards to be implemented. In addition, annex A gives an overview of the main approaches in regulations, products and services. ETSI ETSI TR 102 605 V1.1.1 (2007-09) 102 References References are either specific (identified by date of publication and/or edition number
40、 or version number) or non-specific. For a specific reference, subsequent revisions do not apply. Non-specific reference may be made only to a complete document or a part thereof and only in the following cases: - if it is accepted that it will be possible to use all future changes of the referenced
41、 document for the purposes of the referring document; - for informative references. Referenced documents which are not found to be publicly available in the expected location might be found at http:/docbox.etsi.org/Reference. For online referenced documents, information sufficient to identify and lo
42、cate the source shall be provided. Preferably, the primary source of the referenced document should be cited, in order to ensure traceability. Furthermore, the reference should, as far as possible, remain valid for the expected life of the document. The reference shall include the method of access t
43、o the referenced document and the full network address, with the same punctuation and use of upper case and lower case letters. NOTE: While any hyperlinks included in this clause were valid at the time of publication ETSI cannot guarantee their long term validity. 2.1 Informative references 1 Univer
44、sal Postal Union S43-3: “Secured Electronic Postal Services Interface Specification“. NOTE: To be published. Formerly entitled Electronic Post Mark Interface Specification. 2 CEN TS 15130: “Postal Services - DPM infrastructure - Messaging supporting DPM applications“. 3 OASIS Committee Specification
45、 Electronic PostMark (EPM): “Profile of the OASIS Digital Signature Service Version 1.0, Ed Shallow, 13 February 2007“. 4 ISO/IEC 13888 (Parts 1 to 3): “Information Technology Security Techniques Non repudiation“. 5 ISO/IEC 27001 “Information technology Security techniques Information security manag
46、ement systems - Requirements“. 6 Directive 97/67/EC of the European Parliament and of the Council of 15 December 1997 on common rules for the development of the internal market of Community postal services and the improvement of quality of service. 7 IETF RFC 3852: “Cryptographic Message Syntax (CMS
47、)“. 8 ETSI TS 101 733: “Electronic Signatures and Infrastructures (ESI); CMS Advanced Electronic Signatures (CAdES)“. 9 ETSI TS 101 903: “XML Advanced Electronic Signatures (XAdES)“. 10 W3C/IETF Recommendation: “XML-Signature Syntax and Processing“. 11 W3C Recommendation (version 1.2 parts 0 to 2):
48、“Simple Object Access Protocol (SOAP) , 24 June 2003“. 12 IETF RFC 4510: “Lightweight Directory Access Protocol (LDAP): Technical Specification Road Map“. 13 ITU-R Recommendation TF.460-4: “Standard frequency and time-signal emissions“. ETSI ETSI TR 102 605 V1.1.1 (2007-09) 1114 ETSI TS 101 861: “Ti
49、me stamping profile“. 15 ETSI TS 102 231: “Electronic Signatures and Infrastructures (ESI); Provision of harmonized Trust-service status information“. 3 Definitions and abbreviations 3.1 Definitions For the purposes of the present document, the following terms and definitions apply: Registered E-Mail (REM): enhanced form of mail transmitted by electronic means (e-mail) which provides evidence relating to the handling of an e-mail including proof of submission and delivery 3.2 Abbreviations For the purposes of the present docu
