ETSI TS 102 158-2003 Electronic Signatures and Infrastructures (ESI) Policy requirements for Certification Service Providers issuing attribute certificates usable with Qualified ce.pdf

上传人:周芸 文档编号:738764 上传时间:2019-01-12 格式:PDF 页数:42 大小:204.57KB
下载 相关 举报
ETSI TS 102 158-2003 Electronic Signatures and Infrastructures (ESI) Policy requirements for Certification Service Providers issuing attribute certificates usable with Qualified ce.pdf_第1页
第1页 / 共42页
ETSI TS 102 158-2003 Electronic Signatures and Infrastructures (ESI) Policy requirements for Certification Service Providers issuing attribute certificates usable with Qualified ce.pdf_第2页
第2页 / 共42页
ETSI TS 102 158-2003 Electronic Signatures and Infrastructures (ESI) Policy requirements for Certification Service Providers issuing attribute certificates usable with Qualified ce.pdf_第3页
第3页 / 共42页
ETSI TS 102 158-2003 Electronic Signatures and Infrastructures (ESI) Policy requirements for Certification Service Providers issuing attribute certificates usable with Qualified ce.pdf_第4页
第4页 / 共42页
ETSI TS 102 158-2003 Electronic Signatures and Infrastructures (ESI) Policy requirements for Certification Service Providers issuing attribute certificates usable with Qualified ce.pdf_第5页
第5页 / 共42页
点击查看更多>>
资源描述

1、 ETSI TS 102 158 V1.1.1 (2003-10)Technical Specification Electronic Signatures and Infrastructures (ESI);Policy requirements for Certification Service Providersissuing attribute certificates usablewith Qualified certificatesETSI ETSI TS 102 158 V1.1.1 (2003-10) 2 Reference DTS/ESI-000012 Keywords e-

2、commerce, electronic signature, IP, security ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but non lucratif enregistre la Sous-Prfecture de Grasse (06) N 7803/88 Important notice In

3、dividual copies of the present document can be downloaded from: http:/www.etsi.org The present document may be made available in more than one electronic version or in print. In any case of existing or perceived difference in contents between such versions, the reference version is the Portable Docu

4、ment Format (PDF). In case of dispute, the reference shall be the printing on ETSI printers of the PDF version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on the

5、current status of this and other ETSI documents is available at http:/portal.etsi.org/tb/status/status.asp If you find errors in the present document, send your comment to: editoretsi.org Copyright Notification No part may be reproduced except as authorized by written permission. The copyright and t

6、he foregoing restriction extend to reproduction in all media. European Telecommunications Standards Institute 2003. All rights reserved. DECTTM, PLUGTESTSTM and UMTSTM are Trade Marks of ETSI registered for the benefit of its Members. TIPHONTMand the TIPHON logo are Trade Marks currently being regis

7、tered by ETSI for the benefit of its Members. 3GPPTM is a Trade Mark of ETSI registered for the benefit of its Members and of the 3GPP Organizational Partners. ETSI ETSI TS 102 158 V1.1.1 (2003-10) 3 Contents Intellectual Property Rights5 Foreword.5 Introduction 5 1 Scope 6 2 References 7 3 Definiti

8、ons and abbreviations.7 3.1 Definitions7 3.2 Abbreviations .8 4 General concepts 9 4.1 Certified attributes9 4.2 Attribute Authority.9 4.3 Attribute certification services .9 4.4 Attribute certificate policy and attribute certification practice statement.11 4.4.1 Purpose .11 4.4.2 Level of specifici

9、ty .11 4.4.3 Approach 11 4.4.4 Other AA statements.11 4.5 Subscriber and subject12 4.6 Attribute semantics.13 5 Introduction to Attribute Certificate policies .13 5.1 Overview 13 5.2 Identification 13 5.3 User community and applicability14 5.4 Conformance 14 6 Obligations and liability .14 6.1 Attri

10、bute authority obligations .14 6.2 Subscriber obligations 14 6.3 Subject obligations .14 6.4 Information for relying parties .15 6.5 Liability 15 7 Requirements on AA practice 15 7.1 Attribute Certification practice statements .15 7.2 Attribute management life cycle 16 7.2.1 Subject and attribute in

11、itial registration16 7.2.2 Attribute renewal 18 7.2.3 Dissemination of Terms and Conditions.19 7.2.3.1 Terms and Conditions for subscribers and subjects 19 7.2.4 Attribute Certificate acquisition20 7.2.5 Attribute Certificate dissemination.20 7.2.6 Attribute Certificate generation 20 7.2.7 Attribute

12、 and AC revocation and suspension21 7.3 Attribute Authority keys management life cycle22 7.3.1 Attribute Authority keys generation .22 7.3.2 Attribute Authority keys storage, backup and recovery23 7.3.3 Attribute Authority public keys distribution.23 7.3.4 Attribute authority keys usage 23 7.3.5 End

13、 of AA key life cycle 24 7.3.6 Life cycle management of cryptographic hardware used to sign ACs, ACRLs or OCSP responses 24 7.4 AA management and operation24 7.4.1 Security management24 7.4.2 Asset classification and management .25 ETSI ETSI TS 102 158 V1.1.1 (2003-10) 4 7.4.3 Personnel security.25

14、7.4.4 Physical and environmental security.26 7.4.5 Operations management .27 7.4.6 System Access management.28 7.4.7 Trustworthy Systems deployment and maintenance.29 7.4.8 Business continuity management and incident handling 29 7.4.9 AA termination .29 7.4.10 Compliance with Legal requirements .30

15、7.4.11 Recording of information concerning Attribute Certificates 30 7.5 Organizational 32 8 Framework for the definition of other Attribute Certificate policies .33 8.1 Attribute Certificate policy management .33 8.2 Exclusions for AC not issued to the public 33 8.3 Additional requirements .34 8.4

16、Conformance 34 Annex A (normative): Requirements for the format of Attribute Certificates.35 Annex B (informative): Liability assertions.36 Annex C (informative): Model AC disclosure statement38 C.1 Introduction 38 C.2 The PDS structure 38 Annex D (informative): Bibliography.40 History 42 ETSI ETSI

17、TS 102 158 V1.1.1 (2003-10) 5 Intellectual Property Rights IPRs essential or potentially essential to the present document may have been declared to ETSI. The information pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found in ETSI SR 0

18、00 314: “Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in respect of ETSI standards“, which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web server (http:/webapp.etsi.org/IPR/home.asp). Pursuant to the ETSI IPR Pol

19、icy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web server) which are, or may be, or may become, essential to the present document. Foreword This Tec

20、hnical Specification (TS) has been produced by ETSI Technical Committee Electronic Signatures and Infrastructures (ESI). Introduction Electronic commerce is emerging as a way of doing business and communicating across public and private networks. Directive 1999/93/EC 1 of the European Parliament and

21、 of the Council on a Community framework for electronic signatures 1 does not explicitly cover the use of attribute certificates, since it only mentions the possibility to include attributes in Public Key Certificates (PKCs) (see Annex I, clause d) which refers to the “provision for a specific attri

22、bute of the signatory to be included if relevant, depending on the purpose for which the certificate is intended“. An important requirement of electronic commerce is the ability to identify, not only the originator of electronic information in the same way that documents are signed using a hand-writ

23、ten signature, but also their attribute(s), e.g. their role(s) in an organization. This may be achieved using certification services in two ways: using attributes included in Public Key Certificates (PKCs); using attributes included in Attribute Certificates (ACs). Only the later case is covered in

24、the present document. A certification-service-provider issuing Attribute Certificates is called an Attribute Authority (AA). For users of electronic signatures to have confidence in the authenticity of the attributes contained in the electronic signatures they need to have confidence that the AA has

25、 properly established procedures and protective measures in order to minimize the operational and financial threats and risks. The present document specifies baseline policy requirements on the operation and management practices of Attribute Authorities issuing Attribute Certificates that can be use

26、d in support of Qualified Electronic Signatures, and thus which are available for use by the public and are linked to a Qualified Certificate supporting the “QCP public + SSCD“ Certification Policy. Attribute Certificates that can be used in such a context can also be used for other reasons, e.g. fo

27、r authorization. In this respect they may be used in a Privilege Management Infrastructure (PMI). ETSI ETSI TS 102 158 V1.1.1 (2003-10) 6 1 Scope The present document specifies policy requirements relating to Attribute Authorities (AAs) which are a type of certification-service-providers as defined

28、in Directive 1999/93/EC 1. The present document specifies policy requirements on the operation and management practices of Attribute Authorities issuing Attribute Certificates such that subscribers, subjects and relying parties may have confidence in the applicability of the Attribute Certificate in

29、 support of electronic signatures. These policy requirements are defined in terms of: a) the specification of two Attribute Certificate policies for Attribute Certificates issued to the public; b) a framework for the definition of other Attribute Certificate policies enhancing the above policies or

30、for Attribute Certificates issued to non-public user groups. The policy assertions relating to the AA include requirements on the provision of services for attribute registration, AC acquisition, AC generation, dissemination, attribute revocation management and AC revocation status. Other certificat

31、ion-service-provider functions are outside the scope of the present document. These policy requirements are specifically aimed at Attribute Certificates issued to the public, and used in support of qualified electronic signatures (i.e. electronic signatures that are legally equivalent to hand-writte

32、n signatures in line with article 5.1 of Directive 1999/93/EC 1). These policy requirements specifically address the requirements for CSPs issuing Attribute Certificates. Attribute certificates issued under these policy requirements may be used to establish the attributes associated with a natural p

33、erson who acts on his own behalf or on behalf of another natural person, or legal person it represents. The present document only addresses the requirements for AAs issuing ACs linked to persons. ACs issued for other purposes are not covered, as these fall outside the scope of Directive 1999/93/EC 1

34、. The present document may be used by competent independent bodies as the basis for confirming that an AA meets the requirements for issuing Attribute Certificates. Although the present document is targeted for Attribute Certificates usable for electronic signatures, they could also be used for acce

35、ss control purposes. It is recommended that subscribers and relying parties consult the attribute certification practice statement of the issuing AA to obtain further information and notice on precisely how a given Attribute Certificate policy is implemented by the particular AA. The present documen

36、t does not specify how the requirements identified may be assessed by an independent party, including requirements for information to be made available to such independent assessors, or requirements on such assessors. ETSI ETSI TS 102 158 V1.1.1 (2003-10) 7 2 References The following documents conta

37、in provisions which, through reference in this text, constitute provisions of the present document. References are either specific (identified by date of publication and/or edition number or version number) or non-specific. For a specific reference, subsequent revisions do not apply. For a non-speci

38、fic reference, the latest version applies. Referenced documents which are not found to be publicly available in the expected location might be found at http:/docbox.etsi.org/Reference. 1 Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework f

39、or electronic signatures. 2 ITU-T Recommendation X.509 (2000)|ISO/IEC 9594-8 (2001): “Information technology - Open Systems Interconnection - The Directory: Public-key and attribute certificate frameworks“. 3 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the

40、protection of individuals with regard to the processing of personal data and on the free movement of such data. 4 IETF RFC 3280 April 2002: “Internet X.509 Public Key Infrastructure - Certificate and CRL Profile“, R.Housley, W. Ford, W. Polk, D. Solo. 5 ISO/IEC 15408 (parts 1 to 3): “Information tec

41、hnology - Security techniques - Evaluation criteria for IT security“. 6 CEN Workshop Agreement 14167-2: “Security Requirements for Trustworthy Systems Managing Certificates for Electronic Signatures - Part 2 Cryptographic Module for CSP Signing Operations - Protection Profile (MCSO-PP)“. 7 Council D

42、irective 93/13/EEC of 5 April 1993 on unfair terms in consumer contracts. 8 CEN Workshop Agreement 14167-1: “Security Requirements for Trustworthy Systems Managing Certificates for Electronic Signatures - Part 1“. 9 CEN Workshop Agreement 14167-3: “Security Requirements for Trustworthy Systems Manag

43、ing Certificates for Electronic Signatures - Part 3“. 3 Definitions and abbreviations 3.1 Definitions For the purposes of the present document, the following terms and definitions apply: attribute: information bounded to an entity that specifies a characteristic of an entity, such as a group members

44、hip or a role, or other information associated with that entity Attribute Authority (AA): authority trusted by one or more users to create and sign Attribute Certificates Attribute Certificate (AC): data structure containing a set of attributes for an end-entity and some other information, which is

45、digitally signed with the private key of the AA which issued it Attribute Certificate Policy (ACP): named set of rules that indicates the applicability of an Attribute Certificate to a particular community and/or class of application with common security requirements or which indicates basic rules f

46、or registering, delivering and revoking attributes containing Attribute Certificates ETSI ETSI TS 102 158 V1.1.1 (2003-10) 8 Attribute Certificate (AC) validity period: time period during which an Attribute Certificate is deemed to be valid attribute certification period: time period during which AC

47、s including a given Attribute will effectively be provided by the AA Attribute Certification Disclosure Statement (ACDS): supplemental to ACP and ACPS and simplified document that can assist Attribute Certificates users in making informed trust decisions Attribute Certification Practice Statement (A

48、CPS): statement of practices which a Attribute Authority employs in issuing Attribute Certificates Attribute Granting Authority (AGA): authoritative source of an attribute NOTE: The Attribute Granting Authority was called in TR 102 044 the Attribute Issuing Authority (AIA). Certification Authority (

49、CA): authority trusted by one or more users to create and assign Public Key Certificates Certification-Service-Provider (CSP): entity or a legal person who issues certificates or provides other services related to electronic signatures see Directive 1999/93/EC 1 NOTE: The present document is only concerned with certification service providers issuing Attribute Certificates. The present document is not concerned with other types of CSP functions. electronic signature: data in electronic form which are attached to or logically associated

展开阅读全文
相关资源
猜你喜欢
相关搜索

当前位置:首页 > 标准规范 > 国际标准 > 其他

copyright@ 2008-2019 麦多课文库(www.mydoc123.com)网站版权所有
备案/许可证编号:苏ICP备17064731号-1