1、 ETSI TS 102 158 V1.1.1 (2003-10)Technical Specification Electronic Signatures and Infrastructures (ESI);Policy requirements for Certification Service Providersissuing attribute certificates usablewith Qualified certificatesETSI ETSI TS 102 158 V1.1.1 (2003-10) 2 Reference DTS/ESI-000012 Keywords e-
2、commerce, electronic signature, IP, security ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but non lucratif enregistre la Sous-Prfecture de Grasse (06) N 7803/88 Important notice In
3、dividual copies of the present document can be downloaded from: http:/www.etsi.org The present document may be made available in more than one electronic version or in print. In any case of existing or perceived difference in contents between such versions, the reference version is the Portable Docu
4、ment Format (PDF). In case of dispute, the reference shall be the printing on ETSI printers of the PDF version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on the
5、current status of this and other ETSI documents is available at http:/portal.etsi.org/tb/status/status.asp If you find errors in the present document, send your comment to: editoretsi.org Copyright Notification No part may be reproduced except as authorized by written permission. The copyright and t
6、he foregoing restriction extend to reproduction in all media. European Telecommunications Standards Institute 2003. All rights reserved. DECTTM, PLUGTESTSTM and UMTSTM are Trade Marks of ETSI registered for the benefit of its Members. TIPHONTMand the TIPHON logo are Trade Marks currently being regis
7、tered by ETSI for the benefit of its Members. 3GPPTM is a Trade Mark of ETSI registered for the benefit of its Members and of the 3GPP Organizational Partners. ETSI ETSI TS 102 158 V1.1.1 (2003-10) 3 Contents Intellectual Property Rights5 Foreword.5 Introduction 5 1 Scope 6 2 References 7 3 Definiti
8、ons and abbreviations.7 3.1 Definitions7 3.2 Abbreviations .8 4 General concepts 9 4.1 Certified attributes9 4.2 Attribute Authority.9 4.3 Attribute certification services .9 4.4 Attribute certificate policy and attribute certification practice statement.11 4.4.1 Purpose .11 4.4.2 Level of specifici
9、ty .11 4.4.3 Approach 11 4.4.4 Other AA statements.11 4.5 Subscriber and subject12 4.6 Attribute semantics.13 5 Introduction to Attribute Certificate policies .13 5.1 Overview 13 5.2 Identification 13 5.3 User community and applicability14 5.4 Conformance 14 6 Obligations and liability .14 6.1 Attri
10、bute authority obligations .14 6.2 Subscriber obligations 14 6.3 Subject obligations .14 6.4 Information for relying parties .15 6.5 Liability 15 7 Requirements on AA practice 15 7.1 Attribute Certification practice statements .15 7.2 Attribute management life cycle 16 7.2.1 Subject and attribute in
11、itial registration16 7.2.2 Attribute renewal 18 7.2.3 Dissemination of Terms and Conditions.19 7.2.3.1 Terms and Conditions for subscribers and subjects 19 7.2.4 Attribute Certificate acquisition20 7.2.5 Attribute Certificate dissemination.20 7.2.6 Attribute Certificate generation 20 7.2.7 Attribute
12、 and AC revocation and suspension21 7.3 Attribute Authority keys management life cycle22 7.3.1 Attribute Authority keys generation .22 7.3.2 Attribute Authority keys storage, backup and recovery23 7.3.3 Attribute Authority public keys distribution.23 7.3.4 Attribute authority keys usage 23 7.3.5 End
13、 of AA key life cycle 24 7.3.6 Life cycle management of cryptographic hardware used to sign ACs, ACRLs or OCSP responses 24 7.4 AA management and operation24 7.4.1 Security management24 7.4.2 Asset classification and management .25 ETSI ETSI TS 102 158 V1.1.1 (2003-10) 4 7.4.3 Personnel security.25
14、7.4.4 Physical and environmental security.26 7.4.5 Operations management .27 7.4.6 System Access management.28 7.4.7 Trustworthy Systems deployment and maintenance.29 7.4.8 Business continuity management and incident handling 29 7.4.9 AA termination .29 7.4.10 Compliance with Legal requirements .30
15、7.4.11 Recording of information concerning Attribute Certificates 30 7.5 Organizational 32 8 Framework for the definition of other Attribute Certificate policies .33 8.1 Attribute Certificate policy management .33 8.2 Exclusions for AC not issued to the public 33 8.3 Additional requirements .34 8.4
16、Conformance 34 Annex A (normative): Requirements for the format of Attribute Certificates.35 Annex B (informative): Liability assertions.36 Annex C (informative): Model AC disclosure statement38 C.1 Introduction 38 C.2 The PDS structure 38 Annex D (informative): Bibliography.40 History 42 ETSI ETSI
17、TS 102 158 V1.1.1 (2003-10) 5 Intellectual Property Rights IPRs essential or potentially essential to the present document may have been declared to ETSI. The information pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found in ETSI SR 0
18、00 314: “Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in respect of ETSI standards“, which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web server (http:/webapp.etsi.org/IPR/home.asp). Pursuant to the ETSI IPR Pol
19、icy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web server) which are, or may be, or may become, essential to the present document. Foreword This Tec
20、hnical Specification (TS) has been produced by ETSI Technical Committee Electronic Signatures and Infrastructures (ESI). Introduction Electronic commerce is emerging as a way of doing business and communicating across public and private networks. Directive 1999/93/EC 1 of the European Parliament and
21、 of the Council on a Community framework for electronic signatures 1 does not explicitly cover the use of attribute certificates, since it only mentions the possibility to include attributes in Public Key Certificates (PKCs) (see Annex I, clause d) which refers to the “provision for a specific attri
22、bute of the signatory to be included if relevant, depending on the purpose for which the certificate is intended“. An important requirement of electronic commerce is the ability to identify, not only the originator of electronic information in the same way that documents are signed using a hand-writ
23、ten signature, but also their attribute(s), e.g. their role(s) in an organization. This may be achieved using certification services in two ways: using attributes included in Public Key Certificates (PKCs); using attributes included in Attribute Certificates (ACs). Only the later case is covered in
24、the present document. A certification-service-provider issuing Attribute Certificates is called an Attribute Authority (AA). For users of electronic signatures to have confidence in the authenticity of the attributes contained in the electronic signatures they need to have confidence that the AA has
25、 properly established procedures and protective measures in order to minimize the operational and financial threats and risks. The present document specifies baseline policy requirements on the operation and management practices of Attribute Authorities issuing Attribute Certificates that can be use
26、d in support of Qualified Electronic Signatures, and thus which are available for use by the public and are linked to a Qualified Certificate supporting the “QCP public + SSCD“ Certification Policy. Attribute Certificates that can be used in such a context can also be used for other reasons, e.g. fo
27、r authorization. In this respect they may be used in a Privilege Management Infrastructure (PMI). ETSI ETSI TS 102 158 V1.1.1 (2003-10) 6 1 Scope The present document specifies policy requirements relating to Attribute Authorities (AAs) which are a type of certification-service-providers as defined
28、in Directive 1999/93/EC 1. The present document specifies policy requirements on the operation and management practices of Attribute Authorities issuing Attribute Certificates such that subscribers, subjects and relying parties may have confidence in the applicability of the Attribute Certificate in
29、 support of electronic signatures. These policy requirements are defined in terms of: a) the specification of two Attribute Certificate policies for Attribute Certificates issued to the public; b) a framework for the definition of other Attribute Certificate policies enhancing the above policies or
30、for Attribute Certificates issued to non-public user groups. The policy assertions relating to the AA include requirements on the provision of services for attribute registration, AC acquisition, AC generation, dissemination, attribute revocation management and AC revocation status. Other certificat
31、ion-service-provider functions are outside the scope of the present document. These policy requirements are specifically aimed at Attribute Certificates issued to the public, and used in support of qualified electronic signatures (i.e. electronic signatures that are legally equivalent to hand-writte
32、n signatures in line with article 5.1 of Directive 1999/93/EC 1). These policy requirements specifically address the requirements for CSPs issuing Attribute Certificates. Attribute certificates issued under these policy requirements may be used to establish the attributes associated with a natural p
33、erson who acts on his own behalf or on behalf of another natural person, or legal person it represents. The present document only addresses the requirements for AAs issuing ACs linked to persons. ACs issued for other purposes are not covered, as these fall outside the scope of Directive 1999/93/EC 1
34、. The present document may be used by competent independent bodies as the basis for confirming that an AA meets the requirements for issuing Attribute Certificates. Although the present document is targeted for Attribute Certificates usable for electronic signatures, they could also be used for acce
35、ss control purposes. It is recommended that subscribers and relying parties consult the attribute certification practice statement of the issuing AA to obtain further information and notice on precisely how a given Attribute Certificate policy is implemented by the particular AA. The present documen
36、t does not specify how the requirements identified may be assessed by an independent party, including requirements for information to be made available to such independent assessors, or requirements on such assessors. ETSI ETSI TS 102 158 V1.1.1 (2003-10) 7 2 References The following documents conta
37、in provisions which, through reference in this text, constitute provisions of the present document. References are either specific (identified by date of publication and/or edition number or version number) or non-specific. For a specific reference, subsequent revisions do not apply. For a non-speci
38、fic reference, the latest version applies. Referenced documents which are not found to be publicly available in the expected location might be found at http:/docbox.etsi.org/Reference. 1 Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework f
39、or electronic signatures. 2 ITU-T Recommendation X.509 (2000)|ISO/IEC 9594-8 (2001): “Information technology - Open Systems Interconnection - The Directory: Public-key and attribute certificate frameworks“. 3 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the
40、protection of individuals with regard to the processing of personal data and on the free movement of such data. 4 IETF RFC 3280 April 2002: “Internet X.509 Public Key Infrastructure - Certificate and CRL Profile“, R.Housley, W. Ford, W. Polk, D. Solo. 5 ISO/IEC 15408 (parts 1 to 3): “Information tec
41、hnology - Security techniques - Evaluation criteria for IT security“. 6 CEN Workshop Agreement 14167-2: “Security Requirements for Trustworthy Systems Managing Certificates for Electronic Signatures - Part 2 Cryptographic Module for CSP Signing Operations - Protection Profile (MCSO-PP)“. 7 Council D
42、irective 93/13/EEC of 5 April 1993 on unfair terms in consumer contracts. 8 CEN Workshop Agreement 14167-1: “Security Requirements for Trustworthy Systems Managing Certificates for Electronic Signatures - Part 1“. 9 CEN Workshop Agreement 14167-3: “Security Requirements for Trustworthy Systems Manag
43、ing Certificates for Electronic Signatures - Part 3“. 3 Definitions and abbreviations 3.1 Definitions For the purposes of the present document, the following terms and definitions apply: attribute: information bounded to an entity that specifies a characteristic of an entity, such as a group members
44、hip or a role, or other information associated with that entity Attribute Authority (AA): authority trusted by one or more users to create and sign Attribute Certificates Attribute Certificate (AC): data structure containing a set of attributes for an end-entity and some other information, which is
45、digitally signed with the private key of the AA which issued it Attribute Certificate Policy (ACP): named set of rules that indicates the applicability of an Attribute Certificate to a particular community and/or class of application with common security requirements or which indicates basic rules f
46、or registering, delivering and revoking attributes containing Attribute Certificates ETSI ETSI TS 102 158 V1.1.1 (2003-10) 8 Attribute Certificate (AC) validity period: time period during which an Attribute Certificate is deemed to be valid attribute certification period: time period during which AC
47、s including a given Attribute will effectively be provided by the AA Attribute Certification Disclosure Statement (ACDS): supplemental to ACP and ACPS and simplified document that can assist Attribute Certificates users in making informed trust decisions Attribute Certification Practice Statement (A
48、CPS): statement of practices which a Attribute Authority employs in issuing Attribute Certificates Attribute Granting Authority (AGA): authoritative source of an attribute NOTE: The Attribute Granting Authority was called in TR 102 044 the Attribute Issuing Authority (AIA). Certification Authority (
49、CA): authority trusted by one or more users to create and assign Public Key Certificates Certification-Service-Provider (CSP): entity or a legal person who issues certificates or provides other services related to electronic signatures see Directive 1999/93/EC 1 NOTE: The present document is only concerned with certification service providers issuing Attribute Certificates. The present document is not concerned with other types of CSP functions. electronic signature: data in electronic form which are attached to or logically associated
