1、 ETSI TS 101 862 V1.3.3 (2006-01)Technical Specification Qualified Certificate profileETSI ETSI TS 101 862 V1.3.3 (2006-01) 2 Reference RTS/ESI-000045 Keywords electronic signature, IP, security ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93
2、 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but non lucratif enregistre la Sous-Prfecture de Grasse (06) N 7803/88 Important notice Individual copies of the present document can be downloaded from: http:/www.etsi.org The present document may be made available in more than one electro
3、nic version or in print. In any case of existing or perceived difference in contents between such versions, the reference version is the Portable Document Format (PDF). In case of dispute, the reference shall be the printing on ETSI printers of the PDF version kept on a specific network drive within
4、 ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current status of this and other ETSI documents is available at http:/portal.etsi.org/tb/status/status.asp If you find errors in the present document,
5、 please send your comment to one of the following services: http:/portal.etsi.org/chaircor/ETSI_support.asp Copyright Notification No part may be reproduced except as authorized by written permission. The copyright and the foregoing restriction extend to reproduction in all media. European Telecommu
6、nications Standards Institute 2006. All rights reserved. DECTTM, PLUGTESTSTM and UMTSTM are Trade Marks of ETSI registered for the benefit of its Members. TIPHONTMand the TIPHON logo are Trade Marks currently being registered by ETSI for the benefit of its Members. 3GPPTM is a Trade Mark of ETSI reg
7、istered for the benefit of its Members and of the 3GPP Organizational Partners. ETSI ETSI TS 101 862 V1.3.3 (2006-01) 3 Contents Intellectual Property Rights4 Foreword.4 Introduction 4 1 Scope 5 2 References 5 3 Abbreviations .5 4 Document structure 6 5 Certificate Profile .6 5.1 Issuer field6 5.2 Q
8、ualified Certificate Statements.6 5.2.1 Statement claiming that the certificates is a Qualified Certificate 6 5.2.2 Statement regarding limits on the value of transactions .7 5.2.3 Statement indicating the duration of the retention period of material information.7 5.2.4 Statement claiming that the p
9、rivate key related to the certified public key resides in a Secure Signature Creation Device 8 5.3 Qualified Certificate Indication8 Annex A (informative): Relationship with the Directive 9 A.1 Annex I of the Directive.9 A.2 Annex II of the Directive10 Annex B (normative): ASN.1 declarations.11 Hist
10、ory 13 ETSI ETSI TS 101 862 V1.3.3 (2006-01) 4 Intellectual Property Rights IPRs essential or potentially essential to the present document may have been declared to ETSI. The information pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be f
11、ound in ETSI SR 000 314: “Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in respect of ETSI standards“, which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web server (http:/webapp.etsi.org/IPR/home.asp). Pursuant to
12、 the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web server) which are, or may be, or may become, essential to the present document.
13、Foreword This Technical Specification (TS) has been produced by ETSI Technical Committee Electronic Signatures and Infrastructures (ESI). Introduction The Directive of the European Parliament and of the Council on a Community framework for electronic signatures (1999/93/EC 1) defines requirements on
14、 a specific type of certificates named “Qualified Certificates“. These certificates are given a specific relevance for acceptance of electronic signatures through the following part of article 5 (Legal effects of electronic signatures): Member States shall ensure that advanced electronic signatures
15、which are based on a Qualified Certificate and which are created by a secure-signature-creation device: a) satisfy the legal requirements of a signature in relation to data in electronic form in the same manner as a handwritten signature satisfies those requirements in relation to paper-based data;
16、and b) are admissible as evidence in legal proceedings. The Directive 1999/93/EC 1 defines a Qualified Certificate in article 2 as: “Qualified Certificate“ means a certificate which meets the requirements laid down in Annex I and is provided by a certification-service-provider who fulfils the requir
17、ements laid down in Annex II“. ETSI ETSI TS 101 862 V1.3.3 (2006-01) 5 1 Scope The present document defines a profile for Qualified Certificates, based on the technical definitions in RFC 3739 4, that may be used by issuers of Qualified Certificates complying with Annex I and II of the European Elec
18、tronic Signature Directive 1999/93/EC 1. This Qualified Certificate profile and the IETF Qualified Certificate profile RFC 3739 4 address Qualified Certificates within different contexts and therefore also use the term Qualified Certificate with slightly different meanings. While the IETF profile us
19、es the term Qualified Certificates within a universal context independent of local legal requirements, this profile uses the term to explicitly describe a Qualified Certificate as defined in the European Electronic Signature Directive 1999/93/EC 1. 2 References The following documents contain provis
20、ions which, through reference in this text, constitute provisions of the present document. References are either specific (identified by date of publication and/or edition number or version number) or non-specific. For a specific reference, subsequent revisions do not apply. For a non-specific refer
21、ence, the latest version applies. Referenced documents which are not found to be publicly available in the expected location might be found at http:/docbox.etsi.org/Reference. 1 Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for electr
22、onic signatures. 2 ITU-T Recommendation X.509/ISO/IEC 9594-8: “Information technology - Open Systems Interconnection - The Directory: Public-key and attribute certificate frameworks“. 3 IETF RFC 3280: “Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile
23、“. 4 IETF RFC 3739: “Internet X.509 Public Key Infrastructure: Qualified Certificates Profile“. 5 ISO/IEC 8824-1/ITU-T Recommendation X.680: “Information technology - Abstract Syntax Notation One (ASN.1): Specification of basic notation“. 6 ISO/IEC 8824-2/ITU-T Recommendation X.681: “Information tec
24、hnology - Abstract Syntax Notation One (ASN.1): Information object specification“. 7 ISO/IEC 8824-3/ITU-T Recommendation X.682: “Information technology - Abstract Syntax Notation One (ASN.1): Constraint specification“. 8 ISO/IEC 8824-4/ITU-T Recommendation X.683: “Information technology - Abstract S
25、yntax Notation One (ASN.1): Parameterization of ASN.1 specifications“. 9 ISO 4217: “Codes for the representation of currencies and funds“. 3 Abbreviations For the purposes of the present document, the following abbreviations apply: CA Certification Authority OID Object IDentifier SSCD Secure Signatu
26、re Creation Device ETSI ETSI TS 101 862 V1.3.3 (2006-01) 6 4 Document structure The normative and informative parts of the present document are provided according to the following document structure: clause 4 contains the core part of the present document, defining the amendments to RFC 3739 4; Anne
27、x A provide a general information how the requirements of Annex I of the Directive can be implemented using tools defined in the present document as well as tools in the underlying standards RFC 3280 3 and ITU-T Recommendation X.509 2; Annex B contains the ASN.1 (ISO/IEC 8824-1 5, ISO/IEC 8824-2 6,
28、ISO/IEC 8824-3 7, ISO/IEC 8824-4 8) modules of the present document. 5 Certificate profile This profile is based on the Internet certificate profile RFC 3739 4, which in turn is based on RFC 3280 3 and the X.509 version 3 2. For full implementation of this profile, implementers are REQUIRED to consu
29、lt the underlying formats and semantics defined in RFC 3739 4. In case of discrepancies between the present document and RFC 3739 4, the present document is the normative one. 5.1 Issuer field The name of the issuer contained in the issuer field (as defined in clause 3.1.1 in RFC 3739 4) MUST contai
30、n a country name stored in the countryName attribute. The specified country SHALL be the country in which the issuer of the certificate is established. 5.2 Qualified Certificate Statements This profile defines a number of individual statements for use with the extension for Qualified Certificates St
31、atements “qCStatements extension“, defined in RFC 3739 4. When this extension is marked critical, this means that all statements included in the extension are regarded as critical. The following statements are defined in this profile: statement claiming that the certificates is issued as a Qualified
32、 Certificate; statement regarding limits on the value of transactions for which the certificate can be used; statement indicating the duration of the retention period during which registration information is archived; statement claiming that the private key associated with the public key in the cert
33、ificate resides within a Secure Signature Creation Device. 5.2.1 Statement claiming that the certificate is a Qualified Certificate The statement defined in this clause contains: An Identifier of the statement (represented by an OID) made by the CA, stating that this certificate is issued as a Quali
34、fied Certificate according to Annex I and II of the EU Directive 1999/93/EC 1, as implemented in the law of the country where the CA is established. ETSI ETSI TS 101 862 V1.3.3 (2006-01) 7 esi4-qcStatement-1 QC-STATEMENT := IDENTIFIED BY id-etsi-qcs-QcCompliance - This statement is a statement by th
35、e issuer that this - certificate is issued as a Qualified Certificate according - Annex I and II of the Directive 1999/93/EC of the European Parliament - and of the Council of 13 December 1999 on a Community framework - for electronic signatures, as implemented in the law of the country - specified
36、in the issuer field of this certificate. id-etsi-qcs-QcCompliance OBJECT IDENTIFIER := id-etsi-qcs 1 5.2.2 Statement regarding limits on the value of transactions The limits on the value of transactions, for which the certificate can be used, if applicable, may be indicated using the statement defin
37、ed in this clause. The codes are defined in ISO 4217 9. This optional statement contains: an identifier of this statement (represented by an OID); a monetary value expressing the limit on the value of transactions. esi4-qcStatement-2 QC-STATEMENT := SYNTAX QcEuLimitValue IDENTIFIED BY id-etsi-qcs-Qc
38、LimitValue - This statement is a statement by the issuer which impose a - limitation on the value of transaction for which this certificate - can be used to the specified amount (MonetaryValue), according to - the Directive 1999/93/EC of the European Parliament and of the - Council of 13 December 19
39、99 on a Community framework for - electronic signatures, as implemented in the law of the country - specified in the issuer field of this certificate. QcEuLimitValue := MonetaryValue MonetaryValue:= SEQUENCE currency Iso4217CurrencyCode, amount INTEGER, exponent INTEGER - value = amount * 10exponent
40、 Iso4217CurrencyCode := CHOICE alphabetic PrintableString (SIZE (3), - Recommended numeric INTEGER (1999) - Alphabetic or numeric currency code as defined in ISO 4217 - It is recommended that the Alphabetic form is used id-etsi-qcs-QcLimitValue OBJECT IDENTIFIER := id-etsi-qcs 2 5.2.3 Statement indi
41、cating the duration of the retention period of material information Reliance on Qualified Certificates may depend on the existence of external information retained by the CA. A significant aspect is that the Directive 1999/93/EC 1 allows name forms in certificates, such as pseudonyms, which may requ
42、ire assistance from the CA or a relevant name registration authority, in order to identify the associated physical person in case of a dispute. This optional statement contains: an identifier of this statement (represented by an OID); a retention period for material information relevant to the use o
43、f and reliance on the certificate, expressed as a number of years after the expiry date of the certificate. ETSI ETSI TS 101 862 V1.3.3 (2006-01) 8 esi4-qcStatement-3 QC-STATEMENT := SYNTAX QcEuRetentionPeriod IDENTIFIED BY id-etsi-qcs-QcRetentionPeriod - This statement is a statement by which the i
44、ssuer guarantees - that for the certificate where this statement appears that - material information relevant to use of and reliance on the certificate - will be archived and can be made available upon - request beyond the end of the validity period of the certificate - for the number of years as in
45、dicated in this statement. QcEuRetentionPeriod := INTEGER id-etsi-qcs-QcRetentionPeriod OBJECT IDENTIFIER := id-etsi-qcs 3 5.2.4 Statement claiming that the private key related to the certified public key resides in a Secure Signature Creation Device (SSCD) CAs claiming to issue certificates where t
46、he private key related to the certified public key resides in a Secure Signature Creation Device (SSCD) MAY use this optional statement. This optional statement contains: An Identifier of the statement (represented by an OID), made by the CA, stating that the private key associated with the public k
47、ey in the certificate is stored in a Secure Signature Creation Device according to Annex III of the EU Directive 1999/93/EC 1, as implemented in the law of the country where the CA is established. esi4-qcStatement-4 QC-STATEMENT := IDENTIFIED BY id-etsi-qcs-QcSSCD - This statement is a statement by
48、which the issuer claims - that for the certificate where this statement appears - the private key associated with the public key in the certificate - is protected according to Annex III of the Directive 1999/93/EC of - the European Parliament and of the Council of 13 December 1999 on a - Community f
49、ramework for electronic signatures. id-etsi-qcs-QcSSCD OBJECT IDENTIFIER := id-etsi-qcs 4 5.3 Qualified Certificate Indication The following two techniques can be utilized to declare that a certificate is issued as a Qualified Certificate: 1) by identifying a certificate policy in the Certificate Policies extensions, as defined in clause 4.2.1.5 from RFC 3280 3, clearly expressing t
