1、 ETSI TS 102 204 V1.1.4 (2003-08)Technical Specification Mobile Commerce (M-COMM);Mobile Signature Service;Web Service InterfaceETSI ETSI TS 102 204 V1.1.4 (2003-08) 2 Reference DTS/M-COMM-004 Keywords commerce, electronic signature, interface, internet, m-commerce, mobile, service ETSI 650 Route de
2、s Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but non lucratif enregistre la Sous-Prfecture de Grasse (06) N 7803/88 Important notice Individual copies of the present document can be downloaded from
3、: http:/www.etsi.org The present document may be made available in more than one electronic version or in print. In any case of existing or perceived difference in contents between such versions, the reference version is the Portable Document Format (PDF). In case of dispute, the reference shall be
4、the printing on ETSI printers of the PDF version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current status of this and other ETSI documents is available a
5、t http:/portal.etsi.org/tb/status/status.asp If you find errors in the present document, send your comment to: editoretsi.org Copyright Notification No part may be reproduced except as authorized by written permission. The copyright and the foregoing restriction extend to reproduction in all media.
6、European Telecommunications Standards Institute 2003. All rights reserved. DECTTM, PLUGTESTSTM and UMTSTM are Trade Marks of ETSI registered for the benefit of its Members. TIPHONTMand the TIPHON logo are Trade Marks currently being registered by ETSI for the benefit of its Members. 3GPPTM is a Trad
7、e Mark of ETSI registered for the benefit of its Members and of the 3GPP Organizational Partners. ETSI ETSI TS 102 204 V1.1.4 (2003-08) 3 Contents Intellectual Property Rights5 Foreword.5 Introduction 5 1 Scope 7 2 References 8 3 Definitions and abbreviations.9 3.1 Definitions9 3.2 Abbreviations .10
8、 4 Void11 5 Introduction to mobile signature 11 5.1 Overview 11 5.1.1 Mobile Signature 11 5.1.2 Using mobile signature .12 5.1.3 Mobile Signature Service (MSS)12 5.2 Notation13 5.3 XML schema declaration .13 6 Mobile Signature Service (MSS) functions14 6.1 Mobile Signature 14 6.1.1 Mobile Signature
9、profile.14 6.1.2 Mobile Signature messaging modes .15 6.1.2.1 Synchronous mode15 6.1.2.2 Asynchronous - ClientServer mode 16 6.1.2.3 Asynchronous - ServerServer mode17 6.2 Mobile Signature status query18 6.3 Mobile Signature profile query 18 6.4 Mobile Signature registration.19 6.5 Mobile Signature
10、receipt 19 6.6 Mobile Signature handshake 20 7 Mobile Signature web service 21 7.1 Mobile Signature method .21 7.2 Mobile Signature status query method .22 7.3 Mobile Signature Receipt Method23 7.4 Mobile Signature Registration Method 24 7.5 Mobile Signature Profile Query Method 24 7.6 Mobile Signat
11、ure notification method25 7.7 Mobile Signature handshake method .26 8 Message formats.26 8.1 Message abstract type.26 8.2 MSS Signature Request SigREQ - STD 28 8.3 MSS Signature response SigRESP STD.29 8.4 MSS Status Request StatREQ STD 30 8.5 MSS status response StatRESP - STD.30 8.6 MSS registrati
12、on request RegREQ STD.31 8.7 MSS registration response RegRESP STD.31 8.8 MSS profile request ProfREQ STD32 8.9 MSS profile response ProfRESP STD32 8.10 MSS receipt request RecREQ STD 33 8.11 MSS receipt response RecRESP - STD.33 8.12 MSS Handshake request HShakeREQ STD .34 8.13 MSS handshake respon
13、se HShakeRESP STD35 ETSI ETSI TS 102 204 V1.1.4 (2003-08) 4 9 Auxiliary types .36 9.1 URI identifier .36 9.2 General auxiliary types.37 9.2.1 MeshMember37 9.2.2 Digest alg and value37 9.2.3 mssURI .37 9.2.4 Mobile user .38 9.3 AP auxiliary types 38 9.3.1 Messaging mode .38 9.3.2 Data.39 9.3.3 Key re
14、ference39 9.3.4 Additional service.39 9.3.5 Signature profile comparison40 9.4 MSSP auxiliary types .40 9.4.1 Signature.40 9.4.2 Status 41 9.4.3 Status code41 9.4.4 Status Detail41 10 Communication Protocol Binding41 10.1 Encoding rules41 10.2 SOAP header42 10.3 SOAP body.42 10.4 SOAP over the HTTP
15、protocol.42 10.5 WSDL Description.42 10.6 Error handling 43 11 Web Service: Security and Privacy Considerations .45 11.1 Handshake 45 11.2 Security and privacy.45 11.2.1 Purposes45 11.2.2 Simplified threat model for Mobile Signature Web Service.46 11.2.3 Security framework.46 11.3 XML Signatures .47
16、 11.4 Mobile signatures .48 11.5 Security protocols.48 Annex A (normative): XML Schema49 Annex B (normative): SOAP FAULT Subcodes .55 Annex C (normative): MSS Status Codes 56 Annex D (informative): Examples.57 D.1 Mobile Signature request - Response in synchronous mode without XML Signatures.57 D.2
17、Mobile Signature Request - Response with an error59 D.3 Mobile Signature Request - Response in Asynchronous Client-Server mode with XML Signatures .60 Annex E (informative): Bibliography.64 History 65 ETSI ETSI TS 102 204 V1.1.4 (2003-08) 5 Intellectual Property Rights IPRs essential or potentially
18、essential to the present document may have been declared to ETSI. The information pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found in ETSI SR 000 314: “Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs n
19、otified to ETSI in respect of ETSI standards“, which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web server (http:/webapp.etsi.org/IPR/home.asp). Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee
20、 can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web server) which are, or may be, or may become, essential to the present document. Foreword The present document (TS) has been produced by ETSI Project M-Commerce (M-COMM). Introduction Cit
21、izens around the world are making use increasingly of electronic communications facilities in their daily lives. This often involves interactions between parties who have never previously met - or may never meet - and for whom no pre-established relationship exists. Consequently, communications netw
22、orks of all kinds are being exploited in new ways to conduct business, to facilitate remote working and to create other “virtual“ shared environments. Consumers, businesses and government departments alike benefit in various ways. For the European Union (“EU“), electronic commerce presents an excell
23、ent opportunity to advance its programmes for economic integration. But, such an approach requires an appropriate security mechanism to allow completion of “remote“ interactions between parties with confidence. To this end, the European Parliament and Council Directive on Electronic Signatures (1999
24、/93/EC 22) was published on December-13th, 1999. The definition of “electronic signature“ contained in Article 2 of the Directive facilitated the recognition of data in electronic form in the same manner as a hand-written signature satisfies those requirements for paper-based data. Since electronic
25、signatures can only be as “good“ as the technology and processes used to create them, “standardization“ activities such as those in Europe by ETSI and CEN within the EESSI framework aim to ensure that a common level of confidence and acceptance can be recognized. The result will be a powerful enabli
26、ng facility for electronic commerce and, more generally, for completion of transactions of any kind. In the context of the EU Directive, the present document focuses on electronic signatures created by cryptographic means in a “secure signature creation device“. To date (June 2003), security provisi
27、ons for signature creation and verification systems are such that parties wishing to provide a signature require “special“ equipment. Typically, this involves a smartcard and a card reader with sufficient processing power and display capabilities to present full details of the transaction to be “sig
28、ned“. For consumer markets, however, it is doubtful whether individual citizens will want to invest in such equipment, which for the most part may remain connected to (or inserted into) personal computer equipment located in the home. An alternative approach is to capitalize on the fact that many ci
29、tizens already possess a device which contains a smartcard and which itself is effectively a personal card reader - their mobile phone. In some European countries, mobile penetration rates are approaching 80 % of the population. As one of the most widely-owned electronic devices, the mobile phone re
30、presents the natural choice for implementation of a socially-inclusive, electronic signature solution for the majority of citizens. Electronic signatures created in this way have become known as “Mobile Signatures“ and a number of initiatives are already underway to evaluate the feasibility of such
31、an approach. Only a small number of these have so far been implemented commercially and none have yet been extended to a mass-market scale. Many of those engaged in such activity cite “interoperability“ issues as a restraining factor, requiring standardization to avoid market fragmentation. ETSI ETS
32、I TS 102 204 V1.1.4 (2003-08) 6 The concept of a “Mobile Signature“ is attractive because it leverages existing commercial models, network infrastructure, mobile device technology (including the SIM-infrastructure) and customer relationships managed by GSM mobile network operators. This offers the p
33、rospect that the concept could be adopted by around one billion mobile phone users in 179 countries, world-wide. Extension of the concept to other mobile network technologies is also possible. Adoption of mobile signature might also assist in the fight against international crimes, such as money “la
34、undering“. In this case, the opportunity provided by mobile signature to identify the citizens who are party to a transaction is attractive, subject to provisions concerning Data Protection, Privacy and Legal Interception (as applied to data services). Acceptance of the concept universally now requi
35、res “standardization“ of a common service methodology, where signature requests/responses can be issued/received in a “standard“ format - irrespective of mobile device characteristics. To this end, the European Commission allocated funds to ETSI to establish a Specialist Task Force (STF-221) to prod
36、uce a set of deliverables on “Mobile Signature Service“. It is envisaged that mobile signature services will play a pivotal role in reaching an appropriate level of confidence, acceptance and interoperability to support implementation of the European Directive on Electronic Signature - particularly
37、for consumer (mass) markets. This Technical Report focuses on those technologies able to realize a mobile signature the equivalent of an “enhanced electronic signature“ as defined by the European Directive. The mobile signature service is considered suitable for the administration and management of
38、all aspects relating to: Advising and guiding citizens about the use of mobile signature Acquiring mobile signature capability Managing citizen identity (including Data protection and individual privacy) Processing of signature requests from application providers (and providing responses) Maintainin
39、g signature transaction records for the citizen. Managing all aspects of signature lifecycle (e.g. validity, expiry) Supporting service administration and maintenance activities The definition of the Mobile Signature Service comprises the following report and specifications: TR 102 203 12: “Mobile C
40、ommerce (M-COMM); Mobile Signature; Business Mobile Signature;Web Service Interface“. TR 102 206 13: “Mobile Commerce (M-COMM); Mobile Signature Service; Security Framework“. TS 102 207 14: “Mobile Commerce (M-COMM); Mobile Signature Service; Specifications for Roaming in Mobile Signature Services“.
41、 Together, the Technical Reports (TRs) and the Technical Specifications (TSs) allow the design and implementation of interoperable mobile signature solutions. ETSI ETSI TS 102 204 V1.1.4 (2003-08) 7 1 Scope The present document specifies the Mobile Signature Service as a Web Service: MOBILE SIGNATUR
42、E WEB SERVICE. From the business and functional requirements of TR 102 203 12, the present document identifies the methods that must be provided by a Mobile Signature Web Service Provider. The present document specifies the data structures and messaging models related to these methods thanks to XML
43、Schema and WSDL. Documentations about these technologies can be found in clause 2. The complete MSS XML Schema is provided in Annex A. A SOAP 1.2 binding is proposed as the mandatory protocol binding. The corresponding WSDL 1.1 description document of such a web service is specified. In defining the
44、 Web service, the present document makes reference to interactions between different parties and to the end user experience of a mobile signature service at the mobile device. This is done to illustrate concepts and facilitate definition of the Web service - only. Readers are referred to other sourc
45、es of information as indicated in clause 2 regarding definitions and specifications for these topics. Structure of the present document: Scope: a description of the goals and objectives of the present document. Document Administration: an explanation of the structure, definitions, symbols and abbrev
46、iations used in the present document. Introduction to mobile signature: positions the Mobile Signature project and EC funding etc leading to overview of why mobile signature has a way to accelerate deployment of electronic signatures as originally envisaged by the EU Directive. Mobile Signature Serv
47、ice Functions: this section describes the high-level functionalities provided by a Mobile Signature Service Provider. Mobile Signature Web Service: the Mobile Signature Service is specified as a Web Service in this section. Message Formats: the XML messages exchanged between an Application Provider
48、and a Mobile Signature Service Provider are presented. Auxiliary XML Data Types: the messages presented in the previous chapter are based upon the XML data types specified here. Communication Protocol Binding: the protocol binding for the Mobile Signature Service is specified as SOAP 1.2 over HTTP.
49、Web Service - Security and Privacy Considerations: Security and Privacy considerations with respect to the Mobile Signature Service are presented. ETSI ETSI TS 102 204 V1.1.4 (2003-08) 8 2 References The following documents contain provisions which, through reference in this text, constitute provisions of the present document. References are either specific (identified by date of publication and/or edition number or version number) or non-specific. For a specific reference, subsequent r
