1、 ETSI TR 119 000 V1.2.1 (2016-04) Electronic Signatures and Infrastructures (ESI); The framework for standardization of signatures: overview TECHNICAL REPORT ETSI ETSI TR 119 000 V1.2.1 (2016-04) 2 Reference RTR/ESI-0019000v121 Keywords e-commerce, electronic signature, security, trust services ETSI
2、 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but non lucratif enregistre la Sous-Prfecture de Grasse (06) N 7803/88 Important notice The present document can be downloaded from: http:/
3、www.etsi.org/standards-search The present document may be made available in electronic versions and/or in print. The content of any electronic and/or print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any existing or perceived dif
4、ference in contents between such versions and/or in print, the only prevailing document is the print of the Portable Document Format (PDF) version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or c
5、hange of status. Information on the current status of this and other ETSI documents is available at https:/portal.etsi.org/TB/ETSIDeliverableStatus.aspx If you find errors in the present document, please send your comment to one of the following services: https:/portal.etsi.org/People/CommiteeSuppor
6、tStaff.aspx Copyright Notification No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm except as authorized by written permission of ETSI. The content of the PDF version shall not be modified without the written authorizat
7、ion of ETSI. The copyright and the foregoing restriction extend to reproduction in all media. European Telecommunications Standards Institute 2016. All rights reserved. DECTTM, PLUGTESTSTM, UMTSTMand the ETSI logo are Trade Marks of ETSI registered for the benefit of its Members. 3GPPTM and LTE are
8、Trade Marks of ETSI registered for the benefit of its Members and of the 3GPP Organizational Partners. GSM and the GSM logo are Trade Marks registered and owned by the GSM Association. ETSI ETSI TR 119 000 V1.2.1 (2016-04) 3 Contents Intellectual Property Rights 4g3Foreword . 4g3Modal verbs terminol
9、ogy 4g3Introduction 4g31 Scope 6g32 References 6g32.1 Normative references . 6g32.2 Informative references 6g33 Definitions and abbreviations . 8g33.1 Definitions 8g33.2 Abbreviations . 8g34 General framework for standardization related to digital signatures . 8g34.1 Introduction 8g34.1.1 Objectives
10、 . 8g34.1.2 Approach 8g34.2 Classification scheme for digital signature standards . 9g34.2.1 Functional areas 9g34.2.2 Document types 10g34.2.3 Structure with sub-areas 11g34.2.4 Numbering scheme . 12g34.2.5 Possible extension of classification scheme to incorporate identification and authentication
11、 related standards . 12g34.2.6 Guidance documents addressing the framework functional areas 13g34.3 The framework by area . 14g34.3.0 Foreword . 14g34.3.1 Introductory documents 15g34.3.2 Signature creation Essential, or potentially Essential, IPRs notified to ETSI in respect of ETSI standards“, whi
12、ch is available from the ETSI Secretariat. Latest updates are available on the ETSI Web server (https:/ipr.etsi.org/). Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not referenced i
13、n ETSI SR 000 314 (or the updates on the ETSI Web server) which are, or may be, or may become, essential to the present document. Foreword This Technical Report (TR) has been produced by ETSI Technical Committee Electronic Signatures and Infrastructures (ESI). Modal verbs terminology In the present
14、document “shall“, “shall not“, “should“, “should not“, “may“, “need not“, “will“, “will not“, “can“ and “cannot“ are to be interpreted as described in clause 3.2 of the ETSI Drafting Rules (Verbal forms for the expression of provisions). “must“ and “must not“ are NOT allowed in ETSI deliverables exc
15、ept when used in direct citation. Introduction As a response to the adoption of Directive 1999/93/EC i.1 on a Community framework for electronic signatures (eSignature Directive) in 1999, and in order to facilitate the use and the interoperability of eSignature based solutions, the European Electron
16、ic Signature Standardization Initiative (EESSI) was set up to coordinate the European standardization organizations CEN and ETSI in developing a number of standards for electronic signature products and services. Commission Decision 2003/511/EC i.2, on generally recognized standards for electronic s
17、ignature products, was adopted by the Commission following the results of the EESSI. This decision was aimed to foster the use of electronic signature by publishing “generally recognized standards“ for electronic signature products in compliance with article 3(5) of the Directive. However, by refere
18、ncing only two standards (respectively on security requirements for trustworthy systems managing certificates for electronic signatures and secure signature creation devices), it had a limited impact on the mapping of the European standardization on electronic signatures (which covers many more docu
19、ments and topics, including ancillary services to electronic signature) and the legal provisions and requirements laid down in Directive 1999/93/EC i.1. Emerging cross-border use of electronic signatures and the increasing use of several market instruments (e.g. Services Directive i.3, Public Procur
20、ement i.4 and i.5, eInvoicing i.6) that rely in their functioning on electronic signatures and the framework set by the eSignature Directive emphasized problems with the mutual recognition and cross-border interoperability of electronic signature. Intending to address the legal, technical and standa
21、rdization related causes of these problems, the Commission launched a study on the standardization aspects of electronic signature i.7 which concluded that the multiplicity of standardization deliverables together with the lack of usage guidelines, the difficulty of access and lack of business orien
22、tation is detrimental to the interoperability of electronic signatures, and formulated a number of recommendations to mitigate this. Also due to the fact that many of the documents have yet to be progressed to full European Standards (ENs), their status may be considered to be uncertain. The Commiss
23、ion also launched the CROBIES study i.8 to investigate solutions addressing some specific issues regarding profiles of secure signature creation devices, supervision practices as well as common formats for trusted lists, qualified certificates and electronic signatures. In line with Standardization
24、Mandate 460 i.9, consequently issued by the Commission to CEN, CENELEC and ETSI for updating the existing signature standardization deliverables, CEN and ETSI have set up the eSignature Coordination Group in order to coordinate the activities achieved for Mandate 460. ETSI ETSI TR 119 000 V1.2.1 (20
25、16-04) 5 One of the first tasks in the context of Mandate 460 was to establish a rationalized framework for signature standardization to overcome these issues within the context of the eSignature Directive, taking into account possible revisions to this Directive. In August 2014, the European Commis
26、sion published Regulation 910/2014/EU of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC i.21. That Regulation will effectively supersede Directive 1999/93/EC i.1 on 1 Jul
27、y 2016. This brings within the scope of Regulation additional services for identification and authentication alongside an extended range of signature related trust services and defines additional forms of qualified certificates. A work programme has been established and will be maintained to address
28、 any elements identified as missing in the framework for standardization of signatures. Unless specifically addressing specific types of legally defined electronic signatures (e.g. as in Directive 1999/93/EC i.1 or in Regulation 910/2014/EU i.21), all documents of the framework intend to cover digit
29、al signatures supported by PKI and public key certificates i.17, and aim to meet the general requirements of the international community to provide trust and confidence in electronic transactions, including, amongst other, applicable requirements from EU legislation i.1 and i.21. Digital signatures
30、are data appended to, or being a cryptographic transformation of a data unit that allows a recipient of the data unit to prove the source and integrity of the data unit and protect against forgery. They can enable, when appropriately supported by relevant trust services, implementation of electronic
31、 signatures and electronic seals as they are defined in the applicable European legislation i.1 and i.21. ETSI ETSI TR 119 000 V1.2.1 (2016-04) 6 1 Scope The present document describes the general structure for ETSI/CEN digital signature standardization outlining existing and potential standards for
32、 such signatures, hereafter referred to as the framework for standardization of signatures. This framework identifies six areas of standardization with a list of existing and potential future standards in each area. NOTE: Each title providing the name of a listed standard in the framework for standa
33、rdization of signatures includes a hyperlink that leads to download facilities for such a standard, including all its versions, both as TS/TR and/or as EN when applicable. 2 References 2.1 Normative references References are either specific (identified by date of publication and/or edition number or
34、 version number) or non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the referenced document (including any amendments) applies. Referenced documents which are not found to be publicly available in the expected location might b
35、e found at http:/docbox.etsi.org/Reference. NOTE: While any hyperlinks included in this clause were valid at the time of publication ETSI cannot guarantee their long term validity. The following referenced documents are necessary for the application of the present document. Not applicable. 2.2 Infor
36、mative references References are either specific (identified by date of publication and/or edition number or version number) or non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the referenced document (including any amendments)
37、 applies. NOTE: While any hyperlinks included in this clause were valid at the time of publication ETSI cannot guarantee their long term validity. The following referenced documents are not necessary for the application of the present document but they assist the user with regard to a particular sub
38、ject area. i.1 Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures. i.2 Commission Decision 2003/511/EC of 14.7.2003 on the publication of reference numbers of generally recognised standards for electronic signatur
39、e products in accordance with Directive 1999/93/EC of the European Parliament and of the Council. i.3 Directive 1998/34/EC of the European Parliament and the Council of 22.6.1998 laying down a procedure for the provision of information in the field of technical standards and regulations and of rules
40、 on Information Society services. i.4 Directive 2004/18/EC of the European Parliament and Council of 31.3.04 on the coordination of procedures for the award of public works contracts, public supply contracts and public service contracts. i.5 Directive 2004/17/EC of the European Parliament and Counci
41、l of 31.3.04 coordinating the procurement procedures of entities operating in the water, energy, transport and postal services sectors. i.6 Directive 2006/112/EC of 28.11.06 on the common system of value added tax. ETSI ETSI TR 119 000 V1.2.1 (2016-04) 7 i.7 “Study on the standardisation aspects of
42、e-signatures“, SEALED, DLA Piper et al, 2007. NOTE: Available at https:/ec.europa.eu/digital-agenda/en/news/study-standardisation-aspects-e-signatures-2007. i.8 “CROBIES: Study onCross-Border Interoperability of eSignatures“, Siemens, SEALED and TimeLex, 2010. NOTE: Available at https:/ec.europa.eu/
43、digital-agenda/en/news/crobies-study-cross-border-interoperability-esignatures-2010. i.9 Mandate M460: “Standardisation Mandate to the European Standardisation Organisations CEN, CENELEC and ETSI in the Field of Information and Communication Technologies Applied to Electronic Signatures“. i.10 ISO/I
44、EC 27000: “Information technology - Security techniques - Information security management systems - Overview and vocabulary“. i.11 IETF RFC 3647: “Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework“. i.12 W3C Recommendation: “XML Signature Syntax and Pr
45、ocessing Version 1.1“, 11 April 2013. i.13 ISO 32000-1: “Document management - Portable document format - Part 1: PDF 1.7“. i.14 Directive 2006/123/EC of the European Parliament and of the Council of 12 December 2006 on services in the internal market. i.15 IETF RFC 3161 (August 2001): “Internet X.5
46、09 Public Key Infrastructure Time-Stamp Protocol“. i.16 CCMB-2006-09-001: “Common Criteria for Information Technology Security Evaluation, Part 1: Introduction and General Model; Version 3.1, Revision 3“, July 2009. i.17 Recommendation ITU-T X.509/ISO/IEC 9594-8: “Information technology - Open Syste
47、ms Interconnection - The Directory: Public-key and attribute certificate frameworks“. i.18 Commission Decision 2009/767/EC of 16 October 2009 setting out measures facilitating the use of procedures by electronic means through the points of single contact under Directive 2006/123/EC of the European P
48、arliament and of the Council on services in the internal market. i.19 Commission Decision 2010/425/EU of 28 July 2010 amending Decision 2009/767/EC as regards the establishment, maintenance and publication of trusted lists of certification service providers supervised/accredited by Member States. i.
49、20 IETF RFC 5816: “ESSCertIDV2 update to RFC 3161“. i.21 Regulation 910/2014/EU of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC. i.22 ETSI TR 119 001: “Electronic Signatures and Infrastructures (ESI); The framework for standardization of signatures; Definitions and abbreviations“. i.23 Commission Decision 2013/662/EU of 14 October 2013 amending Decision 2
